Windows Analysis Report
App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log

Overview

General Information

Sample Name: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log
Analysis ID: 743454
MD5: 988e0cb19fbc2cf5e3b9a33b205affd8
SHA1: 1b091e30aa366a5cdf582a81954893ac6201f769
SHA256: c289adee6ca95bb69f864497f32a8abbad65d20dccd06c4a1f6c3ef6d402693d
Infos:

Detection

CobaltStrike, Follina CVE-2022-30190, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Powershell dedcode and execute
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Yara detected CobaltStrike Stager
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected AntiVM3
Found strings related to Crypto-Mining
Found Tor onion address
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log Virustotal: Detection: 16% Perma Link
Antivirus detection for URL or domain
Source: http://www.bonusesfound.ml/update/index.php Avira URL Cloud: Label: malware
Source: http://shgshgwsdynationalobjindustrialat18ygs.duckdns.org/receipt/invoice_202121.doc Avira URL Cloud: Label: malware
Source: https://www.sputnikradio.net/radio/news/ Avira URL Cloud: Label: malware
Source: http://usa-national.info/gpu/band/grumble.dot Avira URL Cloud: Label: malware
Source: http://192.210.240.8/doc_document/188.doc Avira URL Cloud: Label: malware
Source: https://tph786.com/sale/images/avatar/ Avira URL Cloud: Label: phishing
Source: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email= Avira URL Cloud: Label: phishing
Source: https://blackberryizm.com/frontend/assets/images/favico/report-fedex.php Avira URL Cloud: Label: phishing
Source: http://outfish.bounceme.net/outl.dot Avira URL Cloud: Label: malware
Source: http://ppaauuaa11232.cc/dlx5rc.dotm Avira URL Cloud: Label: malware
Source: https://tpow.zeroworld.xyz/home/application/views/sistem/notifikasi/usqg66westx.php Avira URL Cloud: Label: phishing
Source: http://windowsdefendergateway.duckdns.org/documents.doc Avira URL Cloud: Label: malware
Source: http://83.166.246.59/sgz2/rejoice/lowered.dot Avira URL Cloud: Label: malware
Source: http://198.23.156.247/receipt/receipt.doc Avira URL Cloud: Label: malware
Source: http://192.3.152.171/ Avira URL Cloud: Label: malware
Source: https://hide.link/lfspz Avira URL Cloud: Label: phishing
Source: http://103.167.90.69/receipt/inv_126776.wbk Avira URL Cloud: Label: malware
Source: http://kitten-268.frge.io/article.html Avira URL Cloud: Label: malware
Source: http://usb.mine.nu/c.sh-o/users/shared/c.sh Avira URL Cloud: Label: phishing
Source: http://49.234.67.167/ Avira URL Cloud: Label: malware
Source: http://filecopying.xyz/update/kbp08x Avira URL Cloud: Label: malware
Source: http://media.vitkvitk.com/xmlstatic/ads/videoplaza/vittalia.html?df= Avira URL Cloud: Label: malware
Source: http://3.104.223.22/dhl/receipt.doc Avira URL Cloud: Label: malware
Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc Avira URL Cloud: Label: malware
Source: https://pigeonious.com/img/ Avira URL Cloud: Label: malware
Source: http://swipermachinereview.xyz/wp-includes/t3ow4kf0p0q8oo/ Avira URL Cloud: Label: malware
Source: http://103.167.93.37/invoice/invoice_000499000049.wbk Avira URL Cloud: Label: malware
Source: https://rawcdn.githack.net/up.php?key=5 Avira URL Cloud: Label: malware
Source: https://hosteriaestilonorte.com.ar/admins/uzie/actions.php Avira URL Cloud: Label: phishing
Source: http://83.166.246.59/ua-lt98brkc2/perform/luck/ Avira URL Cloud: Label: malware
Source: http://yourcontents.xyz/0758/0806pn Avira URL Cloud: Label: phishing
Source: http://pretence77.glorious.nonima.ru/elenapc/principles/nearly.mp3 Avira URL Cloud: Label: malware
Source: http://thrprivatecloudshareandfileprotectagent.duckdns.org/receipt/invoice_651254.doc Avira URL Cloud: Label: malware
Source: https://teachon.aerialview.lk/systemdemo/uploads/addons/__macosx/live-class/f2u4p7u3jk.php Avira URL Cloud: Label: malware
Source: http://false.grafitto.ru/dch00-01/rehearsal.dot Avira URL Cloud: Label: malware
Source: https://office.michiganappellateblog.com/soft.dll Avira URL Cloud: Label: malware
Source: http://103.167.90.177/shpdocument/invc_0098008.wbk Avira URL Cloud: Label: malware
Source: https://bb.realestateprivateportfolio.com/img/ Avira URL Cloud: Label: malware
Source: http://www.comeinbaby.com/updateerror/fiif Avira URL Cloud: Label: malware
Source: http://209.127.20.13/b44u8j.dotm Avira URL Cloud: Label: malware
Source: http://lump.semara.ru/dch00-01/counter/nearest/ Avira URL Cloud: Label: malware
Source: http://172.245.119.43/recept/34.doc Avira URL Cloud: Label: malware
Source: http://thomastongrealestate.com/skywkc/3415201.pnga Avira URL Cloud: Label: malware
Source: https://ab.v-mail.online/?e= Avira URL Cloud: Label: phishing
Source: https://lidamtour.com/masivo/file/kmshost/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://www.bonusesfound.ml/update/index.php Virustotal: Detection: 10% Perma Link

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
Source: Yara match File source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
Source: Yara match File source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: c .conffichmod+x/tmp/httpd.conf/tmp/httpd.conf-b-acryptonight-ostratum+tcp://xmr.crypto-pool.fr:443
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: j grep-vgrep|grep"xmr.crypto-pool.fr:3333"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep"monerohash.com
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: c .conffichmod+x/tmp/httpd.conf/tmp/httpd.conf-b-acryptonight-ostratum+tcp://xmr.crypto-pool.fr:443
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: c .conffichmod+x/tmp/httpd.conf/tmp/httpd.conf-b-acryptonight-ostratum+tcp://xmr.crypto-pool.fr:443
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: d grep"mine.moneropool.com"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep"xmr.crypto-pool.fr:8080
Source: Binary string: )9 /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mpengine.pdb OGPS source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log
May infect USB drives
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: b [autorun]
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: b .aziamdescoperit,sianumeautorun.inf.incsiind.inc:[autorun];;open=uksjhr.exe;qkkvolggsbvrgecqsxac
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: b .aziamdescoperit,sianumeautorun.inf.incsiind.inc:[autorun];;open=uksjhr.exe;qkkvolggsbvrgecqsxac

Networking
barindex
Found Tor onion address
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: b <b>http://decoderswlezrsa7.onion</b>intorbrowserandfollowtheinstructions.<br><br>yourpersonalid:
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: <b>http://decoderswlezrsa7.onion</b>intorbrowserandfollowtheinstructions.<br><br>yourpersonalid:
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: b<b>http://decoderswlezrsa7.onion</b>intorbrowserandfollowtheinstructions.<br><br>yourpersonalid:
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: m targetpath="http://www.youtube.com/t3chyy"ourllink.savesetourllink=wshshell.createshortcut("fucked equals www.youtube.com (Youtube)
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://103.133.106.72/ini/................wbk
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://103.155.83.184/invoice/inv_3452323.wbk
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://103.155.83.184/wireadv/invc_9800232.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.167.84.138/receipt/invc_0000560001.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.167.90.177/shpdocument/invc_0098008.wbk
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://103.167.90.69/receipt/inv_126776.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.167.93.12/invoice/invoice_000300020.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.167.93.37/invoice/invoice_000499000049.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.170.255.140/documents/invc_0044050506000.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.171.0.220/receipt/invoice_008789000.wbk
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://106.15.186.165/mstdx86.html(x-usc:http://106.15.186.165/mstdx86.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.172.130.145/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.173.143.102/hhh/invc_005400005400.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.173.219.125/msoffice/msoffice.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://117.48.146.246:8008/exploit.htm
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.234.135.58/loadingupdate.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.119.43/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.245.119.43/recept/34.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://185.172.110.217/kvsn/image.png
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.173.34.107/office/document.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/prey.dot
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://185.222.58.102/invoice/inv_9002343.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://188.127.254.159/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.219.10/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.219.10/office/doc13/dc.doc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://192.210.240.8/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.240.8/doc_document/188.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.240.8/inv/323.doc?
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://192.227.168.187/receipt/office_
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://192.3.110.133/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.3.110.133/dhl/125.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.3.110.172/documents/invc_009030009.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.3.122.162/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://192.3.141.173/word/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.3.152.171/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.169.253.204/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.123.210.174/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.107.11/....document........document/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.12.91.160/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.23.156.247/receipt/receipt.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://198.23.207.54/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://2.56.59.196:8000/index.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://20.51.227.181/layout20223acb.dotm
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://202.55.132.141/invoice/inv_009000987.wbk
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://202.55.132.141/receipt/inv_2331122.wbk
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://209.127.20.13/b44u8j.dotm
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://209.141.40.190/xms
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://209.141.40.190/xms/tmp/xms
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://213.109.192.61/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://217.195.153.111/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://23.29.125.210/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://23.94.174.158/document/invc_00000023444.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://23.95.122.25/.-
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://23.95.52.140/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://23.95.52.140/win32/documentdoc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://23.95.85.171/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.104.223.22/dhl/receipt.doc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://3.134.125.175:9999/index.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.139.50.24/prv.php?id=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.70.225.229/inv/inv.doc?
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.133.1.53/2x/img_05421065.exe
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.144.31.232/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.150.67.233/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.67.229.164:7497/payload.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.76.53.253/1.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.76.53.253/1.htmlhttp://45.76.53.253/1.html
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://49.234.67.167/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.92.205.91/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.118.21.70/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://83.166.242.164/desktop-st7lsde/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/bid/relay.dot
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://83.166.246.59/ua-lt98brkc2/perform/luck/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://93.115.26.76:8000/index.html
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://a0708743.xsph.ru/regain/regions.pdf/f
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://acetica.online/presently/refuge/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://aktualizieren-wolke.de/99.dotm
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://arcorretoradeseguros.eating-organic.net
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://atozlovebook.com/vision.iosapp-o%appdata%
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://belkus.bounceme.net/preparation/bars/relation/heading/toppbw.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://bitcoincoin.xyz/payment/xls.exe
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/clamp.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cakemixturereview.xyz/wp-includes/u2ayyvcprhwqeryw4/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://cdn.$
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://comunicaagorane.myvnc.com/cnre/out/gravadados.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://datasecure.icu/kb4209t/09xp
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://decoderswlezrsa7.onion
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://diagnostic.htb:
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://docria.github.io
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://domainandserversecurityupdatedcomplete.duckdns.org/msoffice/document_012000.doc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://earium.ru/ua-lt5cg63120d6/country/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://egyptianredcrescent-alex.com/ucount=www.standardbankonline.encrypted/php/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://false.grafitto.ru/dch00-01/rehearsal.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://filecopying.xyz/update/kbp08x
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://files.telefacer.com/1/18.html
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://files.telefacer.com/1/2.html
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fusari.ru/904ce54ddc27/glitter/glitter1/salvage.dot
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://gca.co.za/wp-content/plugins/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://github.com
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://goo.gl/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://htmlpreview.github.io
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://http://b0ffffff?ffffff???333333?333333?.drid
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://i.firstinstallmac.club/static/mplayer/mplayer.zip
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://ipv4.fiddler:
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://isearch.omiga-plus.com/?type=sc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://istart.webssearches.com/?type=sc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://jmcglone.com
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://karab.hopto.org/kilo.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kitten-268.frge.io/article.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kopot.myftp.biz/menu/kilos/oyjkff.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lump.semara.ru/dch00-01/counter/nearest/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lump.semara.ru/dch00-01/counter/nearest/needle.dot
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://majesticraft.com/ema/panel/purchaseorder.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://media.vitkvitk.com/xmlstatic/ads/videoplaza/vittalia.html?df=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://melitaeas.online/985bdc0f/princess/go/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://metasploit.comvarshellcode1=unescape
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mishkat-arom.com/boutique/skin/frontend/rwd/default/js/lib/elevatezoom/2021/files/reportmaers
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nay78.glow.nakushita.ru/pr_kyy/endless.abr
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://newglobalinternationalsewdifwefkseifodwe.duckdns.org/vbc/document.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://officewindowssecurityfirewallopen.duckdns.org/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://outfish.bounceme.net/outl.dot
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://pilasto.host/po.exe
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ppaauuaa11232.cc/dlx5rc.dotm
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pretence77.glorious.nonima.ru/elenapc/principles/nearly.mp3
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://private0091111.duckdns.org/qagj/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://private0091111.duckdns.org/qagj/gipsy.png
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://ramashardware.co.za/wp-fxm.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://rgtconsultoriaimobiliaria.eating-organic.net
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://securecon.top/kb8xp/1806xp
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://securecon.top/kb8xp/248p
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://shgshgwsdynationalobjindustrialat18ygs.duckdns.org/receipt/invoice_202121.doc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://simpant.sc.ug/ccc/expl.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://snapper.genesysindonesia.com/excel/excelz/index.php?email=
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://sound23.sundabokun.ru/frimepc2016-pc/allowance.stc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://srsp.app/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://stdykungcommunicationtarisupliermg51gma.duckdns.org/receipt/invoice_651252.doc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://swipermachinereview.xyz/wp-includes/t3ow4kf0p0q8oo/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://theenterpriseholdings.com/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://thrprivatecloudshareandfileprotectagent.duckdns.org/receipt/invoice_651254.doc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://tomond.ru/vz/release/refreshment/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tomond.ru/vz/release/refreshment/regular.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://towardsdatascience.com
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://transfer.sh/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://usa-national.info/gpu/self/relic.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://usb.mine.nu/c.sh-o/users/shared/c.sh
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://vesicafirearms.com/default_page_static_resources/are3qx2hrev8cstwss/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://vsit.site/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://windowsdefendergateway.duckdns.org/documents.doc
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://word2022.c1.biz/template.dotm
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www-searches.com/?s=f1tzdefytd1
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://www.22find.com/?utm_source=b&utm_medium=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.5z8.info/cockfights_e9g5fw_aryanbr0ther00d
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bitly.com/yeuiqwbdhasdvbhsagdhj%public%
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bonusesfound.ml/update/index.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.comeinbaby.com/updateerror/fiif
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://www.delta-homes.com/?utm_source=b&utm_medium=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
Source: notepad.exe, 00000000.00000002.606666431.000001CF7AA7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://www.mygreatlearning.com
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://www.poltc.cz/zackova/novak.exe-outfilec:
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://www.sakurasora.com/zsp_pdf.php%22%20method%3d%22post
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.shorturl.co.in/b8k74irtb
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://www.sweet-page.com/?type=sc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: http://www.systweak.com/registrycleaner
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.theabigailbloomcakecompany.co.uk/wp-content/uploads/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.youtube.com/t3chyy
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://yourcontents.xyz/0758/0806pn
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://yuanbinglun.com/www.yuanbinglun.com/7kkwqmxrwqk0oli/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://a.pomf.cat/litjjy.html
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://a.pomf.cat/lphott.html
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://ab.v-mail.online/?e=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://acaciavictorias.com/sxmal.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://ads-letter.info/api/install/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://alejandraprestamosv7.ceramicdentalimplants.net.au/sleg.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://alttitude-finance.com/wp-content/plugins/js_composer/vendor/mmihey/5qwkwhxc.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aquesky.com/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://arcomsanitizacion.cl/asp/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://arcomsanitizacion.cl/asp/label.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://armybar.hopto.org/remoteload.dotm
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://awareaudience.com/bay/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bb.realestateprivateportfolio.com/img/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://benabase.com/cgi_bin/amvzdxmuc3vhcmv6qhzvbg90zweuy29t
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://bextlife.xyz/wizthaiguy/excell.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/alexserg112/newtrix/downloads/dfgdfg.dotm
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/atlasover/atlassiancore/downloads/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/meganzscr/repname/downloads/frr.dotm
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/report-fedex.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://bluecornerblog.tk/puzo/doc/purchase.doc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://bnet.forrentinproutsneckthechip.com/z/script/veri/login.php?email=w.masiga
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://brandtrust.com.pk/fonts/login/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://browserimprovements.com/check-opt-out?url=$
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://business.missedvoicevolp.com/?e=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cartoonist.me.uk/wp-content/plugins/jetpack/scss/_utilities/us1svv7bfhaue.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/818650717425369109/820114768295231529/lll.x86
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://ceibosnorte.com/images/clients/01/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://ceibosnorte.com/images/clients/01/lub.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chargethe.cloud/audio/index.php#safa&#46;navas
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://childrenplacebd.com/functions/h
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chinatafseer.com/linners/vipe_11/send.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clever-links.com/kwihl
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clever-links.com/rgeaa
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cnaaa11sd.gb.net/efcdsvftgxc/?gdes3sc=6sdfr45
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://connectoutlook.email/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://connectoutlook.email/main.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://creators.care/zxhwcmvzc3jlcxvlc3razxhwzmyuy29t
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://digitalsurana.com/wp-content/kch/new-po.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://dn.se/bot_tjansteskrivelse.docx
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://docria.github.io
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://dohabritishschool.tk/pdf/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dohabritishschool.tk/pdf/ahmad.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doocument.m2diving.ml/fay/login.php?log
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://e-secure-log.ga/abu/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://e-secure-log.ga/abu/next.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://emicrosoftteam.com/scot/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://emicrosoftteam.com/scot/nxt.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://emulatoros.github.io
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://endodermic-needles.000webhostapp.com/clean.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://exaltmathiasministries.org/wp-content/plugins/litespeed-cache/src/cdn/zdac74pa.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://extraosseous.com/zik/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://extraosseous.com/zik/document.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://files.attend-doha-expo.com/inv.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/converter.dot
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://formbucket.com/f/buk_
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fpvtunes.binaryprotectors.com/msreal/jreside
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://gengengma.com/wp-content/uploads/vipe_11/send.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://gez.org.zw/errorpages/load/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goodiebagkanvas.com/m/?login=ithelp
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://gorruck.com/random/8x8para.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://greatblueinds.com/ajx-admin/ckeditor/plugins/wsc/dialogs/3o9vbeip3k.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://hide.link/lfspz
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hitechceramics.com/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hitechceramics.com/ajo/processor.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hitechceramics.com/egab/processor.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hitechceramics.com/emzf/processor.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hitechceramics.com/lin/processor.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hitechceramics.com/tism/processor.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hosteriaestilonorte.com.ar/admins/uzie/actions.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://inst.shconstmarket.com/veafdsag.msi?devop=ertnsgsfa
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://itop.so/cmuqy
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://itop.so/ucrek
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jeffmhall.net/lant/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jeffmhall.net/lant/next.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://jjgamemachine.com/cig.bin/realm/send.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jmcglone.com
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://josematechky.com/docs/ec21_order.doc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://jupiter.co.tz/signature/trip/feed.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://k9b.site/20940293842309/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kaiedge.com/xp/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kes.kg/administrator/modules/mod_login/tmpl/1/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://lidamtour.com/masivo/ala/brinmst/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://lidamtour.com/masivo/ala/cronsrt/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lidamtour.com/masivo/ala/cronsrt/corn.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lidamtour.com/masivo/file/kmshost/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://livelongerfeelbetter.com/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://logz.live/frnd/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lussoarch.com/wp-admin/js/error.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://luxtonace.com/luxton/plugins/ckeditor/plugins/a11yhelp/9gysz7pxb.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mail.emifermetures.xyz/myguy/receiptswift.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://makeshort.link/gxhpg
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://malletteconstruc.com/tphead.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://management.azure.com/subscriptions?api-version=2019-11-01
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://mediadigital.site/class-vc.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://microsoftoffice365messaging.typeform.com/to/tdttiewp
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://micrsoft365.live/extension/api-fkdq8720/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mutlumedya.com/wp-content/plugins/js_composer/include/autoload/ror2rmo2gr3k3.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://mygreatlearning.com
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://myown.bio/vvg
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nahidsanzida.buet.ac.bd//image/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nahidsanzida.buet.ac.bd//image/sof.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://natalierosenberg.com/wp-content/plugins/jetpack/images/apps/4dyirpzd9bmq.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://ndioma.000webhostapp.com/ghana/next.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://newwets.com/zip/document.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nimbusweb.me/s/share/5235436/fls1p6tk2mxpqwewbxq4
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://o.vg/5qxon3b
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://office.michiganappellateblog.com/soft.dll
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://onlinemicrosoftwebcenter.mfs.gg/kksutjc
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://oremoralesabogados.com.pe/scripts/wqpcodwcgmkqsz.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://pages.github.com
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://palmtree-fatdogg.com/blog/wp-includes//wacs/quangcaorongvang/reportdhlnew2.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://panelbroadcast.com/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://partoniroo.com/n9/u.js&&pingo0.org&&cd
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pigeonious.com/img/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://poxy.li/fccdu
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://produsedecalitate.ro/request.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://prowebhq.com/wp-content/themes/twentynineteen/template-parts/content/ldkajkqouw6nel.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://purepowerinc.net/nlugz/082.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/netspi/microburst/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://raw.githubusercontent.com/s3cur3th1ssh1t/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rawcdn.githack.net/up.php?key=5
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://rebrand.ly/5crkai2
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://rebrand.ly/6wkxsh9
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://rebrand.ly/b3y54pr
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://rebrand.ly/bgl7jw3
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://rebrand.ly/lejzqer
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reformationtheology.com/2017/01/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://s3r.io/s53yms
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sdm.adgsystems.do/send.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secured-scanner.website/?email=yw5kcmv3lmn1cmrac2dzlmnvbq==
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://sendayancity.com/wp-uni/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://sendayancity.com/wp-uni/eiv.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://server.voi-cememnet.xyz/?e=yndpbgxpbmdoyw1ad3loes5vcmc=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://servermaintenanceerrors.mfs.gg/4lvit89
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://share.bloomcloud.org/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://shortdd.com/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://silindigam.top/ecm/ibm/3755614780/converter.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sitesimobisis.com.br/bin/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://skripon.com/oozoo/document.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smartloan.lk/application/third_party/requests-master/tests/auth/ggqqrzeptva5.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbcom4jsnai.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://sotein.com.ec/wp-includes1/dhlexpress/dhl/dugzmmp.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spi767igbutt.ru/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spy24.online/bpzpt
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spy24.online/fnexl
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spy24.online/zhmbj
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://staralevator.com/anygas/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://staralevator.com/anygas/nxt.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://statement-invoice-remittance-74768477.square.site/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://storage.googleapis.com/adjunto/factura.html
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://submit-form.com/draxgxm0
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://super-giveaway.com/wp-content/uploads/2021/vipe_11/send.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sushiprueba.pegatinastudio.com/images/productos/bebidas/gddwgrtj67g88s.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sviescfze.com/chinaguy1dadgw/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tapro-trgovina.com/yalladg/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tapro-trgovina.com/yalladg/yalla.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://teachon.aerialview.lk/systemdemo/uploads/addons/__macosx/live-class/f2u4p7u3jk.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://themunnarholidays.com/fassets/js/plugin/bxslider/images/pdac4ckn8mkdiq.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://thersshy.dynssl.com//
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://thersshy.dynssl.com//post.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://tiger.hotshot.sk/wp-admin/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tph786.com/gym/assets/css/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tph786.com/sale/images/avatar/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tpow.zeroworld.xyz/home/application/views/sistem/notifikasi/usqg66westx.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://transfer.sh/get/0oulld/i9ch18.dotm
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://transfer.sh/get/vazkus/xp0rg2.dotm
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triste-mega-down.com/ecm/ibm/3183125126/converter.dot
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tulsabailbondfinancing.com/c2hhbmvazxhwzmyuy29t
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tulsabailbondfinancing.com/dglmzmfueublehbmzi5jb20=
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ultravolt.xyz/.voice/new/?email=jblaauw
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unlibroparatodos.mx/wp-content/themes/divi/epanel/css/tpcsfltfzf9r7yx.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://updatesdomainn.ml/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://updatesdomainn.ml/post.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://upgrade-office.com/presumed8scruple6planer9tabor0novator3softly4unhampered0
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://url.welimitless.in/bqbvn
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://url.welimitless.in/bvmms
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://url.welimitless.in/pacdt
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://url.welimitless.in/trjtk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://url.welimitless.in/unqkn
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://urlsv.vercel.app/375ca8
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://urlsv.vercel.app/be998e
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://vaqww.dyndns.dk/tolly5/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vija-tech.si/wp-admin/maint/reportexcelindeed2.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vikinproducts.com/brknautodgw/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vikinproducts.com/brknautodgw/index.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://visualscope.org/visual/office/css/nelz.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wahuldva.co.uk/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://waselp.com.sa/wp-includes/widgets/w/s.wbk
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://websekir.com/network/index/processingsetrequestbot/?servername=msi-outfilenetwork.exe
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://wwdurl.com/3nav
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://wwdurl.com/txln
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.alliedglobal.marketing/
Source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.bot.ax/jiytb
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.emailmeform.com/builder/emf/webssw/mlcrosoft
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.emprepyme.com.ar/wp/wp-includes/simplepie/decode/html/brcpaoywx.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mediafire.com/file/frjrn9astpfr2ua/1.htm/file
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.miracleworkstudios.com/wp-content/uploads/2019/12/app/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.mygreatlearning.com
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.piriform.com/inapp/installerofferpage
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.qualityautopartleads.com/plugins/revolution/fonts/revicons/j6-re45/mine.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.sanlorenzoyacht.com/newsl/uploads/docs/1.dotm
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.soul-yemen.org/helpdesk.com/msg/helpdesk/index.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.sputnikradio.net/radio/news/
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.uscc.gov/sites/default/files/2020-06/june_2020_trade_bulletin.pdf
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.vespang.cf/ideshow/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.vespang.cf/ideshow/post.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.vespang.cf/sizx/
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://www.vespang.cf/sizx/post.php
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ziengineeringco.com/project-arab-contracting/css/dahbzo4xg.php
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log String found in binary or memory: https://zo.hen88-dif09.xyz/?e=c3vwcg9ydebsywjvcmxhd3bvc3rlcnnvbmxpbmuuy29t
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zoutomes.hopesrvn.xyz//?e=klamb

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: Detects PowerShell content designed to retrieve passwords from host Author: ditekSHen
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects PowerShell content designed to retrieve passwords from host Author: ditekSHen
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: Detects PowerShell content designed to retrieve passwords from host Author: ditekSHen
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Yara signature match
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, score = file, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword author = ditekSHen, description = Detects PowerShell content designed to retrieve passwords from host
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword author = ditekSHen, description = Detects PowerShell content designed to retrieve passwords from host
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, score = file, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword author = ditekSHen, description = Detects PowerShell content designed to retrieve passwords from host
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log Virustotal: Detection: 16%
Source: C:\Windows\System32\notepad.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\notepad.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.mine.winLOG@1/0@0/0
Source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT Key, CurrentCount FROM SdnEx WHERE Key = ? SELECT ID FROM SdnEx WHERE SdnEx.Key = ?; SELECT Count(1) FROM SdnEx; DELETE FROM SdnEx WHERE SdnEx.Key = ?; DELETE FROM SdnEx; INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?); DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?;
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log Static file information: File size 20971520 > 1048576
Source: Binary string: )9 /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mpengine.pdb OGPS source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
Source: Yara match File source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR
Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Z "/providers/microsoft.compute/virtualmachines/",
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log Binary or memory string: "/providers/microsoft.compute/virtualmachines/",
Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log Binary or memory string: Z"/providers/microsoft.compute/virtualmachines/",

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell dedcode and execute
Source: Yara match File source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\Desktop\App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log VolumeInformation Jump to behavior

Remote Access Functionality
barindex
Yara detected CobaltStrike Stager
Source: Yara match File source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
Source: Yara match File source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743454 Sample: App1667895929112011200_3412... Startdate: 10/11/2022 Architecture: WINDOWS Score: 100 7 Multi AV Scanner detection for domain / URL 2->7 9 Malicious sample detected (through community Yara rule) 2->9 11 Antivirus detection for URL or domain 2->11 13 8 other signatures 2->13 5 notepad.exe 2->5         started        process3
No contacted IP infos